Privileged File Delete
Affected Products (not provided by vendor)
- BullGuard Premium Protection 20.0.371.8
Vulnerability Type
TOCTOU
Impact
Privileged File Delete
Summary
The malware scan function in BullGuard Premium Protection 20.0.371.8 has a TOCTOU issue that enables a symbolic link attack, allowing privileged files to be deleted.
Exploitation
- Copy the installation folder to somewhere else,
- Close all instances of BullGuard,
- Open BullGuard GUI in a debugger,
- Breakpoint at
NetUserGetInfo, - Access the antivirus settings,
- On the second call to
NetUserGetInfo, modify the return of the privilege level, - Continue the program to access the settings,
- Disable automatic scanner,
- Manually scan malware,
- When detected, select to fix,
- Delete the malware while the fix is in progress,
- Create a symbolic link from the original malware path to a target file.
