This blog was written by Brook Schoenfield.
On November 10, a researcher reported the vulnerability AVGater, which affects some antimalware products. The vulnerability allows a user without administrative privileges to restore a quarantined file in a user’s defined location.
After internal reviews and with confirmation from the author of the blog, McAfee believes no McAfee products are affected by the privilege escalation vulnerability described in the AVGater blog.
The mechanism that allows users to restore files from quarantine in McAfee products is either locked by default or is available only to users with administrative privileges, providing an additional layer of protection to our customers.
AVGater, as described by blog author Florian Bogner, is based upon antimalware products use of a permanent storage area (folder or directory) to contain software that the antimalware program has “convicted”—executables believed to be malicious. Once convicted, the malicious software must be placed somewhere where it cannot execute and cause (further) harm.
Why not just immediately delete convicted software? If files were summarily deleted, there would always be a chance the files had been incorrectly convicted and might be important to the user. Unfortunately, no software can be considered perfect.[i] False detections occasionally occur, even with the most comprehensive and accurate software. Placing files into “quarantine,” the reserved safe area, mitigates the potential for an accidental removal of users’ important files.
Because of the potential of false-positive malware conviction, nearly every endpoint protection program makes use of a “quarantine” location, where assessed bad files are placed before deletion, just in case there has been a mistake in the identification algorithms.
Researcher Bogner has uncovered a way that quarantined software can be restored to execute, potentially with a privilege escalation from user-level privileges to the Windows system user. He has named the technique AVGater.
Privilege escalation is a critical step in the path to the full compromise of an operating system. Although a user may not have permission to write executable software into directories reserved for the operating system, if an attacker can execute malware from one of Windows’ system directories, an attacker can begin to subvert or replace critical system software with malware. Full control of the operating system may be within reach by just a few, perhaps undetected, steps.
Privilege escalation to the level of the Windows’ system user is not an attacker’s ultimate exploit, but it is a significant step that provides attackers assistance toward their goals.
We live in a world in which techniques to get users to take a single step (click, save, open, view, read) is commonplace; there are thousands of spoofs, scams, confidence games, and social engineering techniques. If you live in the digital world, you have been exposed to many of these, maybe every day.
It is not hard to imagine that attackers, having gotten their software placed into AV quarantine, can execute subsequent software, perhaps through tricking users in some manner.
AVGater is not a straightforward attack. Successful quarantine removal and copying to a system directory must be proceeded by other steps for attackers to achieve their goals, whether controlling additional hosts for a botnet, gathering account information, or other ends. (See the section “AVGater technique,” below, for more information.)
Getting malware onto a Windows machine is relatively uncomplicated; it happens thousands of times every day. Tricking users to proceed is also well understood by attackers with varying levels of technical skill. Thus we believe that attacks based upon AVGater are credible, if not particularly straightforward.
AVGater has not yet been widely used by attackers. Nonetheless, it should be easy for a malware writer to drop detection defenses to force a conviction and quarantine of an attack. This step makes this attack noteworthy: Malware writers already know how to be identified by antimalware programs.
All of AVGater’s steps seem well within reasonable capabilities of competent attackers. Users whose security software is vulnerable should update to a patched version as soon as possible.
It is a poor idea to conduct day-to-day operations from the Windows administrator account. McAfee recommends that users start with a less privileged, user-level account and elevate to administrative privileges only for necessary operations and only for as long as needed to complete a task. Consumers should set up a nonadministrator account as the usual login.
McAfee® ePolicy Orchestrator® (McAfee ePO™) administrators should use the product’s capabilities to reduce the privileges that users need for common tasks, and thus reduce the privilege levels required by most users.
Always running with administrative privileges is a dangerous practice. One mistake can allow a complete compromise. Attackers do not need to go through the steps of AVGater or other privilege escalation. If attackers can execute some code as administrators, they can probably compromise Windows completely. AVGater does not lend attackers any additional advantage.
Users who recognize social engineering attacks will have an advantage in protecting themselves, because they are much less likely to accept suspicious software and fall for tricks that execute the secondary steps required in this attack.
As always, all users are advised to avoid public hotspots. If you must use one, be sure to make use of your company’s VPN services as soon as you join, or use some other VPN technology to conduct your online activities. Always disable unneeded services; do not leave file sharing on except for highly trusted networks; do not blindly accept files from untrusted sources, especially on unsecured and untrusted networks. We should always follow these safe computing practices irrespective of the latest attack technique or the state of our computing protections.
McAfee continues to investigate potential attack vectors related to AVGater. As of this writing, both McAfee and Florian Bogner have found no unmitigated paths through a McAfee product. If we discover additional information, we will update this post.
To promulgate this attack, the security software must identify an attacker-controlled program as malware, which will result in quarantine. The attacker must next switch the quarantined file for malware that will further the attack. Then the attacker must set up the necessary Windows file “junction” so that removing the file from quarantine also copies it into a directory with Windows system privileges.
Any number of tricks can convince at least some users into executing additional malicious software that removes the attack software from quarantine and, through the previously set-up file junction, places the software into a privileged directory. The attacker then must somehow execute the attack software from the joined system directory to proceed.
Attackers have developed numerous methods for avoiding or fooling attempts at conviction, while antimalware makers spend a significant proportion of their efforts identifying the attackers tricks so that malware will be accurately identified.
For malware writers to use this technique, they need obvious malware that will ensure conviction. Accompanying the “red herring” malware must be additional software that can hide its true intent (replace the quarantined item, set up file junction, induce the copying to system privileges, and execute the attacker’s code).
Compared with executing one or two steps against users who are running with administrative privileges, AVGater requires more steps, each of which must be executed successfully and in proper order. AVGater demands greater skill to include careful interactions between at least three steps, and at least one user-induced action. This scenario is credible, though more involved than other easy, repeatable attacks.
[i] Software can be proven to be incorrect, but it is difficult to prove it absolutely error free. Readers may wish to investigate Alan Turing’s “Turing’s Proof,” whose math is believed to prove that an automated process cannot prove that an automated process is correct.