IObit Malware Fighter Privilege Escalation Vulnerability via Exposed IOCTL

A vulnerability in the IObit Malware Fighter application, specifically in version 12.1.0, allows unprivileged users to delete files arbitrarily. This issue arises from an exposed IOCTL in the IMFForceDelete driver. The vulnerability can be leveraged for privilege escalation by exploiting the Windows Installer (MSI) rollback mechanism. By deleting and recreating certain files with a weak Discretionary Access Control List (DACL), attackers can gain elevated privileges and execute arbitrary changes on the system as the NT AUTHORITY\SYSTEM user.

Impact

Exploitation of this vulnerability allows for unauthorized file deletions and local privilege escalation, enabling a user to execute actions with elevated system rights.

Reproduction

The vulnerability can be reproduced by sending a request to the IMFForceDelete driver that includes the IOCTL for file deletion. After deleting a file, the MSI rollback mechanism can be abused by recreating the deleted file with a weak DACL, along with fake RBF and RBS files. This process grants the ability to make arbitrary changes to the system with NT AUTHORITY\SYSTEM privileges.