Windows 10 Store 'wsreset' tool lets attackers bypass antivirus

A technique that exploits Windows 10 Microsoft Store called 'wsreset.exe' can delete bypass antivirus protection on a host without being detected.

Wsreset.exe is a legitimate troubleshooting tool that lets users diagnose problems with the Windows Store and reset its cache.

Pentester and researcher Daniel Gebert has discovered that wsreset.exe can be abused to delete arbitrary files.

As wsreset.exe runs with elevated privileges because it deals with Windows settings, this bug would allow attackers to delete files even if they would not normally have the privileges.

Deleting files using wsreset.exe

When creating temporary cache and cookie files, the Windows Store stores these files in the following directories:

%UserProfile%\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache
%UserProfile%\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCookies

After analyzing the wsreset utility, Gebert found that the tool will delete files present in these folders, thereby "resetting" the cache and cookies for the Windows Store application.

The exploitation technique mentioned here relies on a simple concept of “folder junctions” which are similar to, but a more limited version of symbolic links (symlinks).

If an attacker can create a link that points this \InetCookies path to a target directory of attacker’s choice, the target directory will be the one deleted when wsreset runs. This is because wsreset runs with auto-elevated privileges by default.

To begin, the attacker first deletes the \INetCookies folder (which the wsreset utility would have otherwise cleared). Users with limited privileges can delete the folder, so that isn't a challenge - either an attacker with the control of a user account or a malicious script running within the compromised user's account can accomplish this.

Following this, an attacker now creates a "link" or folder junction, making the \INetCookies location point to a privileged location they'd like wsreset.exe to delete.

In the example shown below, the attacker is mapping the \INetCookies directory to the "C:\Windows\System32\drivers\etc" location. The \etc folders contain important configuration and settings files, including the "hosts" file for configuring local DNS rules.

"This can be done by using mklink.exe with the '/J' parameter or via the powershell new-item command with the '-ItemType .' parameter," Gelbert explains in his blog post.

Now when "wsreset" is run by the attacker or their script, the "\etc" folder which would otherwise require elevated privileges to clear, would be deleted.

Abusing wsreset to bypass antivirus software

The researcher demonstrated how this behavior could be abused to bypass antivirus protections, focusing on Adaware as an example.

"Adaware antivirus stores configuration files (and more) in the folder 'C:\ProgramData\adaware\adaware antivirus'. Adaware antivirus needs these files to interact with malware signatures/definitions downloaded before. Regular users cannot delete this folder," Gelbert stated.

Once the attacker creates their "\INetCookies" symbolic link to point to the "\adaware antivirus" folder and runs wsreset, the files within the folder are now deleted seamlessly.

Granted, some files (which were in use by the antivirus) may remain within the folder even after wsreset runs, that's not a problem. The overall process is enough to corrupt and spin the antivirus out of control.

On reboot, after the antivirus relaunches, it would be deactivated permanently. This is because its settings, signatures/definitions, and other core files have been purged from the system. And the antivirus wasn't able to detect or prevent this either.

This privilege escalation vulnerability existing in the wsreset.exe utility can be abused for other purposes, such as UAC bypass as previously demonstrated by Hashim Jawad in 2019.

These are just some of the examples of unchecked permissions on core system files that can aid adversaries in flying under the radar while compromising systems.