An attacker can circumvent self-defense mechanisms and persistence through a loophole in McAfee’s antivirus software, security researchers from SafeBreach have discovered.
The security flaw could be exploited by loading unsigned DLLs into multiple services operating under NT AUTHORITYSYSTEM. However, operations require admin privileges to the attacker.
Many components of antivirus solutions run as a “NT AUTHORITY\ SYSTEM” Windows service, which means they have strong system permissions, explains SafeBreach.
The processes affected, as discovered by security researchers, try to load a file from the C:\Windows\System32\wbem\wbemcomn.dll path. However, it can not be found because the DLL is located in the System32 folder.
However, the attacker could use this mechanism to load a malicious DLL by placing your file in the wbem folder under the name wbemcomn.dll.
An unprotected library packed with McAfee code would circumvent the anti-virus defense mechanism, which prohibits users and even managers from writing to their files.
Another issue that allows bypass is that the antivirus does not validate the DLL file for the digital signature.
“The vulnerability allows attackers to persistently load and run malicious payloads whenever the services are loaded. It ensures that when the attacker drops a malicious DLL, any time the services restart, the services load the malicious code, “says SafeBreach.
Tracked as CVE-2019-3648, McAfee Anti-Virus Plus (AVP) and McAfee Web Safety (MIS) are affected by vulnerability.
McAfee has already updated and has already learnt of the security bug in August and says he is not aware of the risk of attacks.
“Before this update, MTP, AVP and MIS did not check that the correct digital signatures of these third party files were loaded from the appropriate location. This might allow an attacker with administrative privileges to place malicious programs in certain places and load and run the MTP, AVP and MIS programs, “McAfee states in a advisory.
A few weeks ago, SafeBreach discovered that Avast, AVG, and Avira antivirus products have also been affected by DLL hijacking vulnerabilities similarly exploitable by attackers with administrative privileges.