For 2020, June’s Patch Tuesday, Microsoft published Advisories addressing Multiple Vulnerabilities in Microsoft Windows Defender.
Microsoft Windows Defender
Microsoft Defender is an anti-malware component of Microsoft Windows, designed to protect computers from viruses, spyware and other forms of malware.
CVE-2020-1163 and CVE-2020-1170
An elevation of privilege vulnerability exists in Defender that leads to arbitrary file deletion on the system. The vulnerability exists due to application does not properly impose security restrictions in Windows Defender. A local user can use a specially crafted application and take control of an affected system.
Recently a detailed analysis Report of CVE-2020-1170 is published.
Let’s see this vulnerability in Nutshell.
The Vulnerability exist due to incorrect way of handling Windows Defender log files.
MpSigStub.log, these two files are for Windows Defender logs, located in
When Signatures updates for Windows Defender, some information is being written to
C:\Windows\Temp\MpCmdRun.log by Windows Defender (as
Administrators and SYSTEM have Full Control over these files by default, whereas normal users can’t even read them or have write access to them, but when normal user (low-privileged) trigger the Signature Updates process, information will be written to these log files as
With help of Log Rotation Mechanism, an attacker can exploit this vulnerability. In Log Rotation, every time Signatures Updates, it writes information in log files and when these log files reached to the file size limit (16MB), the original file renamed as
MpCmdRun.log.bak and creates a new one.
so, an attacker can create the directory
C:\Windows\Temp\MpCmdRun.log.bak\ and set it as a mountpoint to another location on the filesystem. To trick the system using
MpCmdRun.log file must be filled up to 16 MB. An attacker needs to run Update-MpSignature command in a loop for 10000 times. According to the link, the researcher has been able to exploit this vulnerability using this same trick to demonstrate the PoC.
C:\ProgramData\Microsoft\Windows\WER is specified as the target directory to delete, because, once this folder has been removed, an attacker can get code execution as
Windows Defender anti-malware platform Version prior to 4.18.2005.1
Microsoft advised users to ensure update for the Windows Defender is installed to mitigate any risk.
Qualys has released QID 91649 to Detect this vulnerability.