TokyoWesterns’ team of web application security experts just unveiled a new attack method that, if exploited, would allow the extraction of sensitive information from any server protected with Windows Defender.
This attack method, dubbed “Oracle AV”, was disclosed during a recent cybersecurity event and, according to its developers, is a specialized server-side request forgery technique that leverages security mechanisms included in Windows Defender by default. Windows Defender is the antivirus security tool pre-installed on Microsoft systems.
These kinds of attacks (commonly known as SSRF attacks) rely on sending specially designed request packages to trick servers into responding with sensitive information, otherwise inaccessible for threat actors, as assured by web application security specialists.
Hackers usually use SSRF attacks to access certain resources, such as sensitive files and other resources that can only be accessed through a local network of the target server. The method developed by the researchers shows an attack against a web application running on a Windows Defender-protected server.
The target application contained some publicly available URLs (any user could access them), plus a URL accessible only to administrators using the local address “localhost” (on the same server); according to the experts, this URL contained the target’s confidential information.
In addition, this vulnerability could also be classified as an exploit of the XS-Search category. In other words, this flaw causes antivirus software to lose a secret value by storing a file that contains attacker-controlled value and sensitive information.
Moreover, when questioned about the harmful potential of Oracle AV attack in other scenarios or against other targets, the specialist mentioned that the investigation is not yet completed, so new ways to exploit these flaws could appear shortly, although it does mention a potential scenario: “This attack may also work against a browser’s cache, so Oracle AV would affect servers and users,” warns the expert.