Many trusted endpoint detection and response (EDR) technologies may have a vulnerability in them that gives attackers a way to manipulate the products into erasing virtually any data on installed systems.
Or Yair, a security researcher at SafeBreach who discovered the issue, tested 11 EDR tools from different vendors and found six of them—from a total of four vendors—to be vulnerable. The vulnerable products were Microsoft Windows Defender, Windows Defender for Endpoint, TrendMicro ApexOne, Avast Antivirus, AVG Antivirus and SentinelOne.
Formal CVEs and Patches
Three of the vendors have assigned formal CVE numbers for the bugs and issued patches for them prior to Yair disclosing the issue at the Black Hat Europe conference on Wednesday, Dec 7.
At Black Hat, Yair released proof-of-concept code dubbed Aikido that he developed to demonstrate how a wiper, with just the permissions of an unprivileged user, could manipulate a vulnerable EDR into wiping almost any file on the system, including system files.
“We were able to exploit these vulnerabilities in more than 50% of the EDR and AV products we tested, including the default endpoint protection product on Windows,” Yair said in a description of his Black Hat talk. “We are lucky to have this discovered prior to real attackers, as these tools and vulnerabilities could have done a lot of damage falling in the wrong hands.” He described the wiper as likely being effective against hundreds of millions of endpoints running EDR versions vulnerable to the exploit.
In comments to Dark Reading, Yair says he reported the vulnerability to the affected vendors between July and August. “We then worked closely with them over the next several months on the creation of a fix prior to this publication,” he says. “Three of the vendors released new versions of their software or patches to address this vulnerability.” He identified the three vendors as Microsoft, TrendMicro, and Gen, the maker of the Avast and AVG products. “As of today, we have not yet received confirmation from SentinelOne about whether they have officially released a fix,” he says.
Yair describes the vulnerability as having to do with how some EDR tools delete malicious files. “There are two crucial events in this process of deletion,” he says. “There is the time the EDR detects a file as malicious and the time when the file is actually deleted,” which sometimes can require a system reboot. Yair says, he discovered that between these two events an attacker has the opportunity to use what is known as NTFS junction points to direct the EDR to delete a different file than the one that it identified as malicious.
NTFS junctions points are similar to so-called symbolic links, which are shortcut files to folders and files located elsewhere on a system, except that junctions are used to link directories on different local volumes on a system.
Triggering the Issue
Yair says that to trigger the issue on vulnerable systems he first created a malicious file—using the permissions of an unprivileged user—so the EDR would detect and attempt to delete the file. He then found a way to force the EDR to postpone deletion till after reboot, by keeping the malicious file open. His next step was to create a C: TEMP directory on the system, make it a junction to a different directory and rig things so when the EDR product attempted to delete the malicious file—after a reboot–it followed a path to a different file altogether. Yair found he could use the same trick to delete multiple files in different places on a computer by creating one directory shortcut and putting specially crafted paths to targeted files within it, for the EDR product to follow.
Yair says that with some of the tested EDR products, he was not able to do arbitrary file deletion but was able to delete entire folders instead.
The vulnerability impacts EDR tools that postpone the deletion of malicious files till after a system reboots. In these instances, the EDR product stores the path to the malicious file in some location—that varies by vendor–and uses the path to delete the file after rebooting. Yair says some EDR products don’t check if the path to the malicious file leads to the same place after reboot, giving attackers a way to stick a sudden shortcut in the middle of the path. Such vulnerabilities fall into a class known as Time of Check Time of Use
(TOCTOU) vulnerabilities he notes.
Yair notes that in most cases, organizations can recover deleted files. So, getting an EDR to delete files on a system by itself—while bad—is not the worst case. “A deletion is not exactly a wipe,” Yair says. To achieve that, Yair designed Aikido so it would overwrite files it had deleted making them unrecoverable as well.
He says the exploit he developed is an example of an adversary using an opponent’s strength against them—just as with the Aikido martial art. Security products, such as EDR tools have super-user rights on systems and an adversary that is able to abuse them can execute attacks in a virtually undetectable manner. He likens the approach to an adversary turning Israel’s famed Iron Dome missile defense system into an attack vector instead.