A recent discovery has unveiled a significant vulnerability within Windows Defender, the built-in antivirus solution for modern Windows operating systems. This flaw, identified by a security researcher known as Chaotic Eclipse, allows standard users to exploit a logic error in the file remediation process, enabling them to execute code with elevated privileges without the need for administrative access or other complex exploits.
Understanding the Vulnerability
The crux of the issue lies in how Windows Defender handles the restoration of files flagged as malicious. When a file is detected, Defender attempts to restore it to its original location without checking if that location has been altered through a junction point. This oversight creates an opportunity for attackers to manipulate the system during a narrow window of time, allowing them to redirect the restoration process to the sensitive C:WindowsSystem32 directory.
The exploit, dubbed RedSun, leverages a missing validation in the MpSvc.dll file, the core component of the Malware Protection Engine. By timing their actions precisely, attackers can replace the intended restoration path with a junction point that redirects to C:WindowsSystem32. Consequently, when Defender writes the file, it inadvertently places the malicious binary directly into a critical system directory.
Technical Insights
RedSun operates by chaining together four legitimate Windows features, none of which are inherently vulnerable on their own. The exploit hinges on the interaction of these components under specific timing conditions:
- Opportunistic Locks (OPLOCKs): These locks allow processes to receive notifications when another process attempts to access a file. In this case, a batch OPLOCK is used to create a precise timing mechanism that holds Defender in a blocked state.
- Cloud Files API: This API facilitates cloud synchronization and allows the creation of placeholder files. An attacker can create a placeholder to present a controlled file to Defender.
- Volume Shadow Copy Service (VSS): VSS creates snapshots of volumes, which Defender uses during its remediation process. The exploit monitors for the creation of a new shadow copy to time the attack accurately.
- Junction Points: These allow standard users to redirect filesystem operations. By creating a junction point to
C:WindowsSystem32, the attacker can redirect Defender’s write operation without detection.
Exploit Execution
The execution of the RedSun exploit unfolds in several steps:
- Shadow Copy Monitoring: A background thread monitors for new shadow copies, indicating that Defender is in the remediation phase.
- EICAR Drop and AV Trigger: The EICAR test string is cleverly embedded in a binary and executed, prompting Defender to initiate its detection and remediation workflow.
- OPLOCK Synchronization and Junction Swap: The attacker acquires a batch OPLOCK, deletes the original file, and creates a Cloud Files placeholder while simultaneously establishing a junction to
C:WindowsSystem32. - Defender Writes Payload to System32: With the junction in place, Defender unwittingly writes the attacker’s binary into the System32 directory.
- SYSTEM Shell via Storage Tiers COM Server: The exploit activates a COM server that executes the malicious binary, granting the attacker SYSTEM-level access.
Root Cause Analysis
The vulnerability stems from a lack of reparse point validation in the file restoration process. The configuration handler responsible for managing rollback policies does not verify whether the restoration path has changed, allowing the exploit to succeed. A simple check could have prevented this vulnerability from being exploited.
Impact and Mitigation Strategies
RedSun poses a threat to any Windows system with Windows Defender enabled, affecting Windows 10, Windows 11, and Windows Server 2019 and later. The exploit operates with high reliability, even on systems with the latest updates. Currently, no patch is available, and Microsoft has not assigned a CVE for this vulnerability.
Until a fix is released, organizations are advised to implement behavioral detection strategies:
- Monitor for VSS enumeration from non-system processes. Unusual calls targeting shadow copy devices from user processes should raise alerts.
- Alert on untrusted processes registering Cloud Files sync roots. This could indicate an attempt to exploit the vulnerability.
- Monitor junction creation in temporary directories. The creation of junction points by standard users in specific contexts can signal malicious activity.
- Alert on unexpected writes to
C:WindowsSystem32from Defender’s process. Such activity is anomalous and warrants investigation. - Consider disabling cloud-delivered protection on high-risk systems. However, this should be a temporary measure due to the potential degradation of Defender’s overall effectiveness.
References
For further reading and detailed technical insights, please refer to the original research and documentation surrounding the RedSun exploit.
