From over at the Bad Place:
https://gist.github.com/alfarom256/f1342f14dc6a742de7ea4004a1b6d7ed

IObit Malware Fighter has a driver device called IMFForceDelete123.
When you call the only exposed IOCTL to this device, 0x8016E000, along with a specified path, the Windows kernel will delete the specified file/directory. NTFS ACLs don't matter because we're the kernel.

Who is allowed to interact with this device? EVERYONE.

The more software you have on your system, the less secure it is.

We can demonstrate the attack pretty easily. Sure, deleting notepad.exe isn't terribly interesting in and of itself.

But I'm quite sure that attackers can figure out a way to be more clever with this power.

@wdormann it can be used for Privilege escalation: https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks

@wdormann What driver version (hash) were you using?

@http
The driver is version 7.0.0.5 from the current version of IObit Malware Fighter. It was signed on Aug 2, 2022 with an Authenticode hash of 0xF003C8ABF8A692DE770EB3BB8BABEC8C72F836D856F9C96F4DE30E3AB47FEA0F

Or if you're looking for a raw file hash including the non-code part, I get
F58C4562FC2E6D40F3763BA503D0F723055791948051F19DEAA4FF0366468570

@wdormann Thanks. But the product would have to be already installed by an admin, right? I was thinking of deleting Defender files that way, but probably not possible without elevation.

@http
Yes, this is only a problem for systems that already have IObit Malware Fighter installed.

@wdormann @http Admin->Kernel is still useful for attackers though, esp. for disabling endpoint protection.

@buherator @http
Sure, but if you're already an admin, the world is your oyster.
Load any driver you want (vulnerable or not), roll back security patches, whatevs...

@wdormann @http IME devil is in the details and having another (easy to use) tool on your belt is always useful. But conceptually you are right of course.