CVE-2020-15401 in Malware Fighter Pro
Summary
by MITRE
IOBit Malware Fighter Pro 8.0.2.547 allows local users to gain privileges for file deletion by manipulating malicious flagged file locations with an NTFS junction and an Object Manager symbolic link.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/01/2020
This vulnerability exists in IOBit Malware Fighter Pro version 8.0.2.547 and represents a privilege escalation flaw that enables local attackers to delete files they would normally not have access to. The vulnerability stems from improper handling of file system objects within the malware protection software's file deletion mechanisms. Attackers can exploit this weakness by creating malicious file paths that leverage NTFS junction points combined with Object Manager symbolic links to manipulate the software's file handling processes. The flaw allows an attacker to bypass normal file access controls and delete protected system files or user data through the legitimate interface of the malware fighter application. This type of vulnerability falls under the category of privilege escalation as defined by CWE-269 and CWE-787, where insufficient access control checks lead to unauthorized operations.
The technical implementation of this exploit involves creating a carefully crafted NTFS junction point that points to a protected file location while simultaneously establishing an Object Manager symbolic link that the malware fighter application will traverse during its file deletion operations. When the application processes what it believes to be a flagged malicious file, the junction and symbolic link manipulation causes the software to follow the link to a different file path than originally intended, ultimately allowing deletion of files in protected directories. This exploitation technique combines file system manipulation with object manager traversal, creating a complex attack vector that demonstrates poor input validation and path resolution handling within the application's security model.
The operational impact of this vulnerability extends beyond simple file deletion capabilities as it provides attackers with a mechanism to bypass security controls that are specifically designed to prevent unauthorized modifications to system files. Local privilege escalation through malware protection software is particularly concerning because it allows attackers to undermine the very security measures that are supposed to protect the system. The vulnerability affects systems where IOBit Malware Fighter Pro is installed and running with elevated privileges, potentially enabling attackers to remove critical system components, user data, or security-related files. This creates a significant risk for enterprise environments where such software is commonly deployed as part of endpoint protection strategies. The attack vector requires local system access but does not require network connectivity, making it particularly dangerous in environments where physical access is possible or where attackers have already achieved initial compromise through other means.
Mitigation strategies for this vulnerability should focus on immediate patching of the IOBit Malware Fighter Pro application to the latest version that addresses the privilege escalation flaw. System administrators should implement least privilege principles and ensure that the malware fighter application runs with minimal required privileges rather than elevated permissions. Additionally, monitoring for suspicious file deletion activities and implementing file integrity monitoring solutions can help detect exploitation attempts. The vulnerability demonstrates the importance of proper input validation and secure file system object handling as outlined in the software security principles of the OWASP Top Ten and MITRE ATT&CK framework. Organizations should also consider implementing application whitelisting policies to prevent unauthorized execution of potentially vulnerable software components and maintain regular security assessments to identify similar weaknesses in other endpoint protection tools.