Windows 10 Store wsreset utility lets attackers to bypass Antivirus

A method that exploits Windows 10 Microsoft Store called wsreset.exe can delete and bypass antivirus protection on a host machine without being detected. Wsreset.exe is a legitimate troubleshooting utility that lets users to diagnose problems with the Windows Store and reset its cache.

The security researcher Daniel Gebert has discovered that wsreset.exe can be abused to delete arbitrary files. As wsreset.exe runs with elevated privileges because it deals with the Windows settings, this vulnerability would allow attackers to delete files even if they would not normally have the privileges.

Deleting files using wsreset.exe

When creating temporary cache and cookie files, Windows Store stores these files in the following directories:

After analyzing the wsreset tool, Daniel Gebert found that this utility will delete files present in these folders, thereby resetting the cache & cookies for the Windows Store application. The exploitation technique mentioned here relies on a simple concept of  folder junctions which are similar to, but a more limited version of symlinks.

If threat actor can create a link that points this \InetCookies path to a target directory of attacker’s choice, the target directory will be the one deleted when wsreset.exe runs. This is because wsreset.exe runs with auto-elevated privileges by default.

To begin, the attacker first deletes the \INetCookies folder (which the wsreset.exe tool would have otherwise cleared). Users with limited privileges can delete the folder, so that isn't a challenge - either threat actor with the control of a user account or a malicious code running inside the compromised user's account can accomplish this.

INetCookies folder with standard user having full privileges

Following this, threat actor now creates a link or folder junction, making the \INetCookies location point to a privileged location they had like wsreset.exe to delete.

In the example shown below, the threat actor is mapping the \INetCookies directory to the C:\Windows\System32\drivers\etc location. The \etc folders contain important config and settings files, including the hosts file for configuring local DNS rules.

Daniel Gebert explains in his blog post that this can be done by using mklink.exe with the '/J' parameter or via the powershell new-item command with the '-ItemType .' parameter.

Using mklink to create folder junction

Now when wsreset.exe is run by the threat actor or their script, the "\etc" folder which would otherwise require elevated privileges to clear, would be deleted.

Abusing wsreset to bypass antivirus software

The security researcher demonstrated how this behavior could be abused to bypass antivirus protections, focusing on Adaware as an example. Daniel Gebert stated that Adaware antivirus stores configuration files (and more) in the folder C:\ProgramData\adaware\adaware antivirus. Adaware needs these files to interact with malware signatures/definitions downloaded before. Regular users cannot delete this folder.

Adaware antivirus settings directory cannot be deleted by a standard user account

Once the threat actor creates their "\INetCookies" symbolic link to point to the "\adaware antivirus" folder and runs wsreset.exe, the files within the folder are now deleted seamlessly. Granted, some files (which were in use by the antivirus) may remain within the folder even after wsreset.exe runs, that's not a problem. The overall process is enough to corrupt & spin the antivirus out of control.

On reboot, after the Adaware antivirus relaunches, it would be deactivated permanently. This is because its settings, signatures/definitions, & other core files have been purged from the system. And the Adaware antivirus wasn't able to detect or prevent this either.

Adaware antivirus wasn't able to detect

This privilege escalation flaw existing in the wsreset.exe tool can be abused for other purposes, such as UAC bypass as previously demonstrated by Hashim Jawad in 2019. These are just some of the examples of unchecked permissions on core system files that can aid adversaries in flying under the radar while compromising systems.

Does this article being helpful to you? Let us know your thoughts in the comments section and share it with us on Facebook, Twitter, or our LinkedIn Group.


Previous Post Next Post