SafeBreach Labs researcher Or Yair has uncovered zero-day vulnerabilities in several leading endpoint detection and response (EDR) and antivirus (AV) solutions that enabled him to turn the tools into potentially devastating next-generation wipers.
“This wiper runs with the permissions of an unprivileged user yet has the ability to wipe almost any file on a system, including system files, and make a computer completely unbootable,” Yair warned in a blog post detailing the findings. “It does all that without implementing code that touches the target files, making it fully undetectable.”
He shared his findings in a presentation yesterday at Black Hat Europe.
Also read: Why You Need to Tune EDR to Secure Your Environment
Aikido Tactics
Yair named the tool he developed the Aikido Wiper, after the martial art focused on using opponents’ strengths against them. Knowing that EDRs have the ability to delete any file they view as malicious, he wrote, “I set out to see if I could use that power against EDRs to delete a target file as an unprivileged wiper.”
To do so, he focused on the two key events that occur when an EDR deletes a file. “First, the EDR identifies a file as malicious and then it deletes the file,” he wrote. “If I could do something between these two events, using a junction, I might be able to point the EDR towards a different path.”
While his initial attempt failed, he was more successful in doing so after forcing a reboot, noting that the default Windows API for postponing a deletion to after the next reboot has a key flaw: “what’s surprising about this default Windows feature is that once it reboots, Windows starts deleting all the paths and blindly follows junctions.”
“As a result, I was able to create one complete process that allowed me to delete almost any file that I wanted on the system as an unprivileged user,” Yair wrote.
Also read: Ransomware Group Uses Vulnerability to Bypass EDR Products
Patches Released
Yair tested 11 different security products against the exploit and found that more than half were vulnerable, including Defender, Defender for Endpoint, SentinelOne EDR, TrendMicro Apex One, Avast Antivirus, and AVG Antivirus.
Palo Alto Networks XDR, Cylance, CrowdStrike, McAfee and Bitdefender were not vulnerable to the attack.
SafeBreach reported the flaws to the affected vendors in July and August, and worked with them to create a fix prior to disclosure. The CVEs include CVE-2022-37971 (Microsoft), CVE-2022-45797 (TrendMicro), and CVE-2022-4173 (Avast and AVG).
Palo Alto Networks XDR, Cylance, CrowdStrike, McAfee and Bitdefender were not vulnerable to the attack.
“We encourage all organizations to ensure they are using the latest software versions and/or have applied the appropriate patches to ensure protection against this vulnerability,” Yair wrote.
Still, Yair noted, it’s not possible for them to test every product on the market. “We believe it is critical for all EDR and AV vendors to proactively test their products against this type of vulnerability and, if necessary, develop a remediation plan to ensure they are protected,” he wrote. “We would also strongly encourage individual organizations that currently utilize EDR and AV products to consult with their vendors about these vulnerabilities and immediately install any software updates or patches they provide.”
Read next: Latest MITRE EDR Evaluations Contain Some Surprises
