A flaw in Windows 10 Store ‘wsreset’ tool lets potential hackers bypass antivirus and delete any file
Pentester and security researcher Daniel Gebert has discovered a flaw in the Windows 10 Store reset tool, wsreset.exe which can be used to bypass the anti-virus installed on the Windows 10 PC/laptop and delete any file. Gebert was working on a follow up of wsreset tool UAC bypass previously demonstrated by Hashim Jawad in 2019.
wsreset.exe is Microsoft’s troubleshooting tool designed to reset the Windows Store without changing account settings or deleting installed apps. Simply put, this executable clears the Windows Store cache. You can run WSReset.exe from the Run command.
wsreset.exe tool works with administrative privileges. According to Gebert, If the wsreset flaw is successfully exploited, it could allow a potential hacker to bypass any installed anti-virus software and randomly delete any kind of files.
Gebert used Adaware Antivirus to demonstrate his proof-of-concept on his blog. He was able to exploit the wsreset and delete Adaware signature files with ease.
“Adaware antivirus stores configuration files (and more) in the folder ‘C:\ProgramData\adaware\adaware antivirus’. Adaware antivirus needs these files to interact with malware signatures/definitions downloaded before. Regular users cannot delete this folder,” Gebert states in his blog post.
When wsrest.exe is run with administrator privileges, Gebert found that it allows potential hackers to easily access all areas in the Windows 10 store. When this file is run, it uses all kinds of symbolic links (symlinks) to detect directories where cache and cookies are stored. Gebert demonstrated that he could create a link that points this \InetCookies path to a target directory of his choice, in this case, the adaware AV signature files directory. Using the wsreset he then proceeded to delete the adaware AV signature files. This is because wsreset runs with auto-elevated privileges by default.
Gebert says that this attack allows malicious actors to bypass the security measures of any Windows 10 run PC/laptop. By itself, this attack only could generate random files deletion, but potential hackers could use this vulnerability in combination with other attack methods to compromise the targeted PC/laptop and install any malware/ransomware.