Even security solutions are exposed to vulnerability exploitation. Hacking course specialists from Tempest revealed the discovery of a security flaw in the Avast Secure Browser (ASB) update process that, if exploited, would lead to a privilege escalation on the affected system.
Apparently, the flaw exists because the
privileged process responsible for browser updates performs a log operation on
a file, which redefines its permissions, granting broad privileges to any user.
The operation is redirected to an arbitrary link using a hardlink, so that the
privileged process begins to operate with the redirected file, redefining its
What does the term hardlink mean? According to
the members of the hacking course, these are symbolic links that refer to a
representation of the contents of the file on the NTFS system by other
directories on the same volume. These links can be created very easily using mklink,
a tool included in almost any recent version of the Windows
There are two conditions for creating hardlinks
using the mentioned tool:
user requires recording privileges on the target file
user requires to write privileges in the directory where the hardlink will be
The first condition would eliminate the
possibility of using hardlinks in exploits to impact privilege escalation,
bearing in mind that, in case the user already has permission to write to the
target file, it would be sufficient to overwrite it with the desired content.
The instructors in the hacking course
discovered that, when the NTOpenFile function opens the file,
used during the implementation of the CreateHardLink API, the value FILE_WRITE_ATTRIBUTES,
is sent as an attribute of the object, identifying the need to register
privileges during the creation of the hardlink. In addition, when the NTOpenFile
function is called, the FILE_WRITE_ATTRIBUTES flag can be
deleted, so it is possible to create a hardlink with read-only permission.
For their proof-of-concept, researchers conducted an inspection with AccessEnum on some ASB-linked directories to find files with excessive permissions:
As we can see, one of the high-privileged files
is Update.ini, located at C:ProgramDataAVAST SOFTWAREBrowserUpdate.
The above image also shows that any user can take full control over the
From this directory, some filters were created that allowed to monitor any operation through a privileged process with Update.ini; then you can see the AvastBrowserUpdate.exe process, which performs some operations with the target file, mention the experts of the hacking course:
Subsequently, Update.ini was replaced with a hardlink pointing to C:Program FilesAvast SoftwareBrowserUpdate184.108.40.206psmachine.dll to start the upgrade process. In this way, the permissions of psmachine.dll were redefined to grant full control to any user:
To complete privilege escalation, the contents of the DLL were replaced by one that returns a shell that was personified with the NT AUTHORITY-SYSTEM user.
According to the researchers, there is still no
solution to this vulnerability, although no cases of exploitation have been
detected in real-world scenarios. The International Institute of Cyber Security (IICS)
recommends that administrators of vulnerable deployments remain aware of any
updates or recommendations issued by Avast.