Abusing TotalAV Anti Virus to Delete Arbitrary Files as SYSTEM
Overview While investigating the behavior of a TotalAV Anti Virus, I discovered a serious vulnerability that allows arbitrary file deletion as NT AUTHORITY\SYSTEM . What’s particularly concerning is that this can be triggered by a regular, non-administrative user by abusing how TotalAV Anti Virus handles cleanup routines in conjunction with Windows NTFS junctions. Despite attempts to responsibly disclose this issue to the vendor (TotalAV), I received no acknowledgment or response. I am now publishing technical details to raise awareness and hopefully prompt a fix. The Vulnerability Impact Privilege escalation via file deletion: A non-admin user can delete files owned or protected by SYSTEM by abusing a cleanup feature in the antivirus. Persistence and LPE vectors: By targeting specific files or system DLLs, this could lead to privilege escalation , denial of service , or persistence mechanisms (e.g., deleting scheduled task binaries, logs, or configuration files). Root Ca...