Vulnerabilities

Privilege escalation vulnerability in Avast Secure Browser allows hacking Windows systems

Even security solutions are exposed to vulnerability exploitation. Hacking course specialists from Tempest revealed the discovery of a security flaw in the Avast Secure Browser (ASB) update process that, if exploited, would lead to a privilege escalation on the affected system.

Apparently, the flaw exists because the
privileged process responsible for browser updates performs a log operation on
a file, which redefines its permissions, granting broad privileges to any user.
The operation is redirected to an arbitrary link using a hardlink, so that the
privileged process begins to operate with the redirected file, redefining its
privileges.

What does the term hardlink mean? According to
the members of the hacking course, these are symbolic links that refer to a
representation of the contents of the file on the NTFS system by other
directories on the same volume. These links can be created very easily using mklink,
a tool included in almost any recent version of the Windows
system.

There are two conditions for creating hardlinks
using the mentioned tool:

  • The
    user requires recording privileges on the target file
  • The
    user requires to write privileges in the directory where the hardlink will be
    created

The first condition would eliminate the
possibility of using hardlinks in exploits to impact privilege escalation,
bearing in mind that, in case the user already has permission to write to the
target file, it would be sufficient to overwrite it with the desired content.

The instructors in the hacking course
discovered that, when the NTOpenFile function opens the file,
used during the implementation of the CreateHardLink API, the value FILE_WRITE_ATTRIBUTES,
is sent as an attribute of the object, identifying the need to register
privileges during the creation of the hardlink. In addition, when the NTOpenFile
function is called, the FILE_WRITE_ATTRIBUTES flag can be
deleted, so it is possible to create a hardlink with read-only permission.

For their proof-of-concept, researchers conducted an inspection with AccessEnum on some ASB-linked directories to find files with excessive permissions:

SOURCE: Tempest

As we can see, one of the high-privileged files
is Update.ini, located at C:ProgramDataAVAST SOFTWAREBrowserUpdate.
The above image also shows that any user can take full control over the
mentioned file.

From this directory, some filters were created that allowed to monitor any operation through a privileged process with Update.ini; then you can see the AvastBrowserUpdate.exe process, which performs some operations with the target file, mention the experts of the hacking course:

SOURCE: Tempest

Subsequently, Update.ini was replaced with a hardlink pointing to C:Program FilesAvast SoftwareBrowserUpdate1.5.245.0psmachine.dll to start the upgrade process. In this way, the permissions of psmachine.dll were redefined to grant full control to any user:

SOURCE: Tempest

To complete privilege escalation, the contents of the DLL were replaced by one that returns a shell that was personified with the NT AUTHORITY-SYSTEM user.

SOURCE: Tempest

According to the researchers, there is still no
solution to this vulnerability, although no cases of exploitation have been
detected in real-world scenarios. The International Institute of Cyber Security (IICS)
recommends that administrators of vulnerable deployments remain aware of any
updates or recommendations issued by Avast.

Comments
To Top

Pin It on Pinterest

Share This