A coworker tipped me off the other day to how it’s possible to use a certain major-brand antivirus to infect a computer. “I didn’t have admin rights,” I overheard him explaining, “So I got them with [redacted] antivirus.”
My head spun around violently. “You did what?”
“Google ‘confused deputy persistence,'” he deadbeated. “It’s the first result.” Then he went back to explaining the problem at hand.
His writeup is several years old, which makes things worse. Admittedly his description is a bit cryptic, but a number of security firms have read it and understood it. I’ll explain it more explicitly. A “confused deputy” is a computer program that runs with more rights and privileges than an ordinary user that can be tricked to use that authority for something unintended (and probably undesirable, from the standpoint of the person who owns the computer system). So what he’s doing is injecting code, tricking the antivirus into running it.
The reason his attack works is that there are old DLL filenames in the code that the program doesn’t need or use anymore, but since they didn’t drop those names from the code, the program will still happily load them if it finds them in the usual places it looks.
So to use this particular antivirus program to infect a computer, just code up a DLL, give it a name the antivirus program is looking for, write it in the correct location, and the antivirus program will happily load and execute it.
He explained how to go about finding the names of some of these vestigial DLLs. It’s way too easy, so I won’t go into detail because I don’t want every antivirus program in existence to become a delivery mechanism. I only know of one product that has this problem, but odds are most of them have a similar problem.
So here’s my plea to developers: When you deprecate or stop using a DLL, before you compile and release your code, please please please review all of the source code for references to it and remove them. If you don’t do that, then you’ve just created insecure code–code that can be used to do bad things. It’s worse when this kind of thing shows up in a security product, since those products usually run with high privileges, but any computer program would be vulnerable to this kind of problem.
And if you have contacts at an antivirus vendor, feel free to have them get in contact with me. Comment on this or the most recent post, and include a couple of URLs in it to guarantee it will be held for moderation, and I’ll see it. I’m glad to share details and/or put them in touch with my coworker who discovered this behavior.