![]() Rm -rf /home/user/exploit ln -s /etc /home/user/exploit While inotifywait -m “/home/user/exploit/passwd” | grep -m 5 “OPEN” ![]() For example, the following Proof of Concept worked against Eset File Server Security: ![]() In our case, we found the use of ‘inotifywait’ to be extremely helpful. Panda antivirus system files in quarantine software#One of the benefits of exploiting antivirus software for Linux is the wide range of available tools to help with the race condition timings. In our testing, we were able to delete important files that would have rendered either the antivirus software or the operating system inoperable given that most file operations run as the root user. It’s worth noting that the above Proof of Concept for macOS also works for some Linux antivirus software. In our testing, we were able to identify an approximate delay of 6-8 seconds that allows a race condition to occur that can result in a symlink attack causing any file to be removed due to the fact that the software runs as root. Once the test-string has been downloaded, the antivirus software immediately detects the file as malware and attempts to clean it up. This exploit was used against Kaspersky Internet Security for macOS and downloads the EICAR test-string from an alternate source (Pastebin) to bypass real-time protection that prohibits downloading the test-string from the official website. A malicious local user or malware author is often able to perform a race condition via a directory junction (Windows) or a symlink (Linux & macOS) that leverages the privileged file operations to disable the antivirus software or interfere with the operating system to render it useless, etc. What most antivirus software fail to take into consideration is the small window of time between the initial file scan that detects the malicious file and the cleanup operation that takes place immediately after. Therein lies a fundamental flaw as the file operations are (almost) always performed at the highest level which opens the door to a wide range of security vulnerabilities and various race conditions. Given the nature of how antivirus software has to operate, almost all of them run in a privileged state meaning the highest level of authority within the operating system. If the unknown file is determined to be a suspected threat, the file will then be automatically quarantined and moved to a secure location pending further user instructions or it will simply be deleted. ![]() Most antivirus software works in a similar fashion: When an unknown file is saved to the hard drive, the antivirus software will usually perform a “real time scan” either instantly or within a couple of minutes. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |