Abusing TotalAV Anti Virus to Delete Arbitrary Files as SYSTEM

Overview

While investigating the behavior of a TotalAV Anti Virus, I discovered a serious vulnerability that allows arbitrary file deletion as NT AUTHORITY\SYSTEM. What’s particularly concerning is that this can be triggered by a regular, non-administrative user by abusing how TotalAV Anti Virus handles cleanup routines in conjunction with Windows NTFS junctions.

Despite attempts to responsibly disclose this issue to the vendor (TotalAV), I received no acknowledgment or response. I am now publishing technical details to raise awareness and hopefully prompt a fix.

The Vulnerability

Impact

  • Privilege escalation via file deletion:
    A non-admin user can delete files owned or protected by SYSTEM by abusing a cleanup feature in the antivirus.

  • Persistence and LPE vectors:
    By targeting specific files or system DLLs, this could lead to privilege escalation, denial of service, or persistence mechanisms (e.g., deleting scheduled task binaries, logs, or configuration files).

Root Cause

TotalAV Anti Virus provides a "cleanup" feature to remove residual files. This is run under SYSTEM context.

However, the product does not verify the target path after resolving junctions or symbolic links. This allows an attacker to:

  1. Create a junction (e.g., using mklink /J) for the user's temp directory pointing to an arbitrary protected location.

  2. Trigger the cleanup to recursively delete contents within the attacker-controlled directory.

  3. The cleanup blindly follows the junction, deleting files in privileged locations as SYSTEM.

Proof of Concept (PoC)

Here’s a high-level outline of how this can be exploited:

  1. Create a junction of the user temp directory to a system owned directory like C:\Windows\System32\drivers\etc

    mklink /J "C:\Users\<USERNAME>\AppData\Local\Temp" "C:\Windows\System32\drivers\etc"

  2. Trigger the antivirus’s cleanup feature targeting "C:\Users\<USERNAME>\AppData\Local\Temp"

Once invoked, the antivirus product recursively deletes everything under the junction path — as SYSTEM.


Responsible Disclosure

I made multiple attempts to disclose this issue privately and allow time for remediation, but the vendor failed to acknowledge or respond. If the vendor reaches out after publication, I am happy to collaborate and update this post accordingly.

Mitigation & Recommendations

Until a fix is released, system administrators can:

  • Monitor antivirus logs for unusual cleanup operations.

  • Block non-admin users from creating NTFS junctions (using Group Policy or access control).

  • Use file integrity monitoring tools to detect suspicious deletions.

Final Thoughts

This bug highlights a recurring pattern: security products introducing security issues by mishandling Windows features like NTFS reparse points. Cleanup features, especially those running with elevated privileges, must perform proper path sanitization and reparse point detection.

If you're a vendor reading this — sanitize your cleanup logic.


Popular Posts