Windows Defender spills secrets

A new technique to extract private information from servers protected by Windows Defender has been developed by the TokyoWesterns team.

The method, which was published online after the Capture the Flag (CTF) competition at the WCTF 2019 conference, is a specialized server-side request forgery (SSRF) technique that takes advantage of the security mechanisms embedded in Windows Defender, the default antivirus tool for Microsoft.

SSRF attacks involve specially crafted requests packets that trick servers into obtaining and returning information that the attacker would not have been able to access.

Hackers usually use SSRF attacks to reach resources such as files and other resources that are only accessible to the local networks of the targeted server.

In their CTF example, the researchers attacked a target web application running on a Windows server protected by Windows Defender.

The application had some publicly available URLs, meant to be accessed by everyone, and one URL that was only accessible to the ‘localhost’ address (the server itself). This latter URL contained sensitive information.

In order to get the web application to reveal information from the ‘localhost’ address, the researchers crafted a special JavaScript snippet and embedded it in the query string of one of the public facing URLs.

This causes Windows Defender’s defensive modules on the server to intervene and analyze the code for potential harmful commands, the researchers found.

More importantly, the antivirus analysis of the embedded script only affected the server’s response to the client. This meant that the attackers were able to cause Defender to leak information about the secret data the application was storing by carefully manipulating their script.

Ask the Oracle

AV Oracle is a blind server-side request forgery exploit that could also (possibly) fall under the ‘XS-Search’ category of exploits.

The vulnerability causes antivirus software to leak a secret value when storing a file containing an attacker controlled value and sensitive information.

In this case, Windows Defender is acting as an ‘Oracle’, inadvertently providing the attackers with pertinent information about the host machine.

The Daily Swig reached out to @t0nk42, member of TokyoWesterns and author of the group's paper on the hack, and asked whether the vulnerability is unique to Windows Defender, or whether it could also apply to other antivirus tools.

“Since most antivirus behave the same, the method might potentially work on other endpoint protection tools,” @t0nk42 said in a Twitter chat, but added that for the oracle technique to work, the targeted antivirus tool must have a Jscript analyzer component like Windows Defender.

Asked whether the technique can be used for other harmful purposes or as part of a larger attack, @t0nk42 confirmed that TokyoWesterns is currently working on further exploring the effects of the exploit.

“Perhaps the method can be used to target browser cache (like response from API), which means not only servers, but users would also be affected,” @t0nk42 said.

@t0nk42 also confirmed that the team had filed a report with the Microsoft Security Response Center. Microsoft had said that their discovery did not meet the company’s criteria for a flaw that ought tot be patched.

The Daily Swig reached out to Microsoft about the vulnerability.

“The issue described is specific to the application [TokyoWesterns] studied and not a vulnerability in Windows Defender,” a spokesperson said.

“The application did not follow good data hygiene by storing sensitive data and user-controlled data together in the same file, enabling the researcher access to the sensitive data.”

Google web security researcher Eduardo Vela disputes Microsoft’s rationale on this point.

“It’s common to store user-supplied contents next to secret values,” he said on Twitter. “This proves that to be dangerous thanks to Windows Defender.”


YOU MAY ALSO LIKE Evading antivirus with AVET