TotalAV version 6.0.x
totalav_6_0_1028-latest.mp4
Timeline:
13th Feb, 2024 : Discovered 6.0.740 vulnerable and reported to TotalAV.
15th Feb, 2024: TotalAV confirmed and reproduced the issue.
19th Feb, 2024: TotalAV was liaising with another vendor. That vendor advised that they were working on it.
18th Mar, 2024 - 19th Apr: Asked for update, no response from TotalAV.
3rd May, 2024: Requested CVE ID and asked TotalAV for further updates. TotalAV replied no update regarding this issue.
11th May, 2024: Version 6.0.1028 was still vulnerable. No mitigation timeline from the vendor.
Steps:
-
Download a malicious DLL generated by msfvenom (part of the metasploit exploitation software package). In the video, I was targeting a DLL loaded by Windows Update service.
-
After the DLL has been quarantined, create a junction to link the download file location to C:\Windows\System32\ for example linking c:\users<username>\downloads\test
C:\Users\player1\Desktop\CreateMountPoint.exe "C:\Users\player1\Downloads\test" "C:\Windows\System32"
-
Restore the DLL, the file is now written to the mount point- C:\Windows\System32\
- Using eicar as example, it was written by NT\SYSTEM
- Using eicar as example, it was written by NT\SYSTEM
-
After restoring, the DLL is detected as a threat the second time and moved to quarantine again
-
If the DLL is restored from Quarantine again, the file is written to C:\Windows\System32\ again
-
If Windows Update services are then triggered, it loads the malicious DLL and the attacker obtains nt authority\SYSTEM privileges.
(New-Object -ComObject Microsoft.Update.Session).CreateUpdateSearcher().Search('IsInstalled=0')
Reference: https://github.com/googleprojectzero/symboliclink-testing-tools
Special thanks to Filip !!! (https://github.com/Wh04m1001)