Symlink race bugs discovered in 28 antivirus products
Security researchers from RACK911 Labs said in a report published this week that they found “symlink race” vulnerabilities in 28 of today’s most popular antivirus products.
RACK911 says the bugs can be exploited by an attacker to delete files used by the antivirus or by the operating system, resulting in crashes or rendering the computer unusable.
The vulnerability at the heart of these bugs is called a “symlink race,” Dr. Vesselin Bontchev, a member of the National Laboratory of Computer Virology at the Bulgarian Academy of Sciences, told ZDNet today.
A symlink race vulnerability takes place when you link a malicious and a legitimate file together, and end up executing malicious actions on the legitimate file. Symlink race vulnerabilities are often used to link malicious files to higher-privilege items, resulting in Elevation-of-Privilege (EoP) attacks.
“It’s a very real and old problem with operating systems that allow concurrent processes,” Dr. Bontchev told ZDNet. “Many programs have been found to suffer from it in the past.”
Years of work into researching AV products
In a report published this week, the RACK911 team said it’s been researching the presence of such bugs in antivirus products since 2018.
They found 28 products across Linux, Mac, and Windows to be vulnerable, and notified vendors as time went by.
“Most of the antivirus vendors have fixed their products with a few unfortunate exceptions,” the RACK911 team said this week. Some vendors acknowledged the issues in public advisories [1, 2, 3, 4], while others appear to have rolled out silent patches. The RACK911 team did not name the products that didn’t patch.
RACK911 says that antivirus products, in particular, are vulnerable to these types of attacks, due to the way they work. There’s an interval from when files are scanned and deemed malicious and until the antivirus steps in to remove the threat. The attack relies on replacing the malicious file with a symlink to a legitimate file within this time window.
RACK911 researchers have created proof-of-concept scripts that abuse a (symlink) race condition to link malicious files to legitimate files via directory junctions (on Windows) and symbolic links (on Mac & Linux).
When the antivirus detects the malicious file and moves to delete it, it ends up deleting its own files, or removing core files owned by the operating system.
“In our testing across Windows, macOS & Linux, we were able to easily delete important files related to the antivirus software that rendered it ineffective and even delete key operating system files that would cause significant corruption requiring a full reinstall of the OS,” RACK911 researchers said.
The RACK911 proof-of-concept code released this week only deletes files. Dr. Bontchev says that such attacks would be more dangerous if the attacks would rewrite files, which could be doable, and would lead to a full takeover of the attacked system.
Attacks in the real world using the RACK911 bugs would require that an attacker be in a position to first download and then run the symlink attack code on a device. This is not something that can help attackers breach a system, but something that could help them improve their access on a hacked system.
This means this type of bug can only be used as a second-stage payload in a malware infection, to elevate privileges, to disable security products, or to sabotage computers in a destructive attack.
“Make no mistake about it, exploiting these flaws were pretty trivial and seasoned malware authors will have no problem weaponizing the tactics outlined in this blog post,” the RACK911 team said.
For now, the majority of the bugs that RACK911 found in antivirus products have been fixed. However, variations could be easily discovered. Symlink race condition bugs have been some of the oldest and hardest to mitigate bugs in applications in the past decades, across all operating systems[1, 2].