Florian Bogner, a researcher with security firm Kapsch, has discovered an exploit that takes advantage of antivirus programs. Dubbed as ‘AVGater’, this exploit takes advantage of the ‘restore from quarantine’ feature found on many antivirus programs, wherein the malware is relocated from an AV quarantine folder and stored on to another sensitive location. For those unaware, quarantine is a secure storage that is used by an antivirus program to place a potentially malicious file detected by it. This feature allows the users to restore files that have been erroneously detected as malware, known as a false positive detection. Bogner said in blog post that the exploit allows a user to remove a certain entry of malware from the quarantined folder and place it somewhere else on the targeted computer, allowing the malware to be executed. Bogner has also uploaded a video that gives more information on how the exploit works.
As explained in the video, a local attacker can manipulate the antivirus’ scanning engine to bring the malicious file out. Usually, a non-administrator user does not have access to write a file to system folders like ‘Program Files’ or ‘Windows’, but by abusing a windows feature called NTFS file junction point allows the attacker to relay the file to a privileged directory, for instance, a folder within C:\Program Files or C:\Windows. “AVGater can be used to restore a previously quarantined file to any arbitrary file system location. This is possible because the restore process is most often carried out by the privileged AV Windows user mode service. Hence, file system ACLs [Access Control Lists] can be circumvented (as they don’t really count for the SYSTEM user). This type of issue is called a privileged file write vulnerability and can be used to place a malicious DLL anywhere on the system,” Bogner explained. However, in order to execute the attack, the attacker must be physically present at the targeted PC, which is the most significant limitation of AVGater. Prior to the disclosure of the exploit, Bogner repeated the attack in products of the firms including Kaspersky Lab, Malwarebytes, Trend Micro, Emsisoft, Ikarus and Zonealarm. While all of these providers have already released patches for their products, there are additional unnamed antivirus vendors who are still working on a fix that will be released in the coming days. Bogner says that users can prevent AVGater by always updating their antivirus products. For enterprises users, he advises not to allow users to restore files from quarantine.