Symlink race bugs discovered in 28 antivirus products

Google

Symlink race bugs discovered in 28 antivirus products.

Security researchers at RACK911 Labs said in a recent report that they found "symlink race" vulnerabilities in 28 of today’s most popular antivirus programs. According to RACK911, bugs can be exploited by an attacker to delete files used by the antivirus or operating system, which results in crashes or makes the computer unusable.

The vulnerability at the heart of these bugs is called "symlink race" said Dr Vesselin Bontchev, a member of the National Laboratory of Computer Virology of the Bulgarian Academy of Sciences. A symbolic link flaw occurs when you link a malicious file and a legitimate file together, and end up executing malicious actions on the legitimate file. Vulnerabilities such as "Symlink race" are often used to link malicious files to higher-level privilege items, resulting in elevation-type attacks.

“This is a very real and old problem with operating systems that allow competing processes,” Dr. Bontchev told Today US . Many programs have been found to suffer in the past.”

Research Symlink race bugs discovered in 28 antivirus products

In a report released last week, the RACK911 team said it has been studying the presence of these bugs in anti-virus products since 2018. They found that 28 products on Linux, Mac and Windows were vulnerable and informed vendors as they went along. “Most antivirus vendors have repaired their products with a few exceptions,” RACK911 said. “ Some publishers have acknowledged the problems in public notices [1, 2, 3, 4], while others appear to have implemented silent patches. The RACK911 team did not name the products that were not patched.

RACK911 states that anti-virus products, in particular, are vulnerable to this type of attack due to their mode of operation. There is a gap between when files are scanned and deemed malicious and when the antivirus intervenes to remove the threat. The attack is based on replacing the malicious file with a symbolic link
to a legitimate file within this period of time.

The RACK911 researchers created concept demo scripts that abuse a race condition (symbolic link) to link malicious files to legitimate files via directory joins (on Windows) and symbolic links (on Mac and Linux). When the antivirus detects the malicious file and decides to delete it, it ends up deleting its own files, or deleting the main files belonging to the operating system.

During our tests on Windows, macOS and Linux, we were able to easily delete important files related to antivirus software that made it ineffective and even delete key files from operating system that would cause significant corruption requiring complete system reinstallation of operations”, said the RACK911 researchers.

Most of the bugs have been fixed

The RACK911 concept proof code released last week only deletes files. According to Dr.Bontchev, such attacks would be more dangerous if they rewrote the files, which could be feasible, and would lead to a total takeover of the attacked system.

Real-world attacks using RACK911 bugs would require an attacker to be able to download and then execute the symbolic link attack code on a device. This is not something that can help attackers hack a system, but something that could help them improve their access to a hacked system.

This means that this type of bug can only be used as a second-step payload in a malware infection, to elevate privileges, to disable security products or to sabotage computers in a destructive attack. “Make no mistake, the exploitation of these flaws was quite trivial and experienced malware writers will have no problem arming the tactics described in this blog post,” RACK911 said.

For now, most of the bugs that RACK911 found in antivirus products have been fixed. However, variations could easily be discovered. The bugs in the Symlink running conditions have been among the oldest and most difficult to mitigate in applications in recent decades, for all operating systems.