Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Privileged File Delete

Affected Products (not provided by vendor)

  • BullGuard Premium Protection 20.0.371.8

Vulnerability Type

TOCTOU

Impact

Privileged File Delete

Summary

The malware scan function in BullGuard Premium Protection 20.0.371.8 has a TOCTOU issue that enables a symbolic link attack, allowing privileged files to be deleted.

Exploitation

  1. Copy the installation folder to somewhere else,
  2. Close all instances of BullGuard,
  3. Open BullGuard GUI in a debugger,
  4. Breakpoint at NetUserGetInfo,
  5. Access the antivirus settings,
  6. On the second call to NetUserGetInfo, modify the return of the privilege level,
  7. Continue the program to access the settings,
  8. Disable automatic scanner,
  9. Manually scan malware,
  10. When detected, select to fix,
  11. Delete the malware while the fix is in progress,
  12. Create a symbolic link from the original malware path to a target file.

Demo

Demo