lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 Jul 2018 16:18:43 -0300 From: filipe <filipe.xavier@...pest.com.br> To: fulldisclosure@...lists.org Subject: [FD] Total AV 4.1.7 ~ 4 .6.19 - Insecure Permissions =====[ Tempest Security Intelligence - ADV-23/2018 ]=== Total AV 4.1.7 ~ 4 .6.19 - Insecure Permissions ------------------------------------------------------- Author: - Filipe Xavier Oliveira: < filipe.xavier () tempest.com.br <http://tempest.com.br/> =====[ Table of Contents ]===================================================== * Overview * Detailed description * Timeline of disclosure * Thanks & Acknowledgements * References =====[ Overview ]============================================================== * System affected : Total AV [1] * Software Version : 4.1.7 ~ 4 .6.19. Other versions or models may also be affected. * Impact : A malware could overwrite originals files to do persistence or elevate privileges, because the installation folder gives full access to any user on the system. =====[ Detailed description ]================================================== A vulnerability allows local attackers to escalate privilege on TotalAV because of weak "C:\Program Files\TotalAV" permissions. The specific flaw exists within the access control that is set and modified during the installation of the product. The product sets weak access control restrictions. An attacker can leverage this vulnerability to execute arbitrary code under the context of Administrator, the IUSR account, or SYSTEM. The TotalAV installation folder permissions: C:\Program Files>icacls TotalAV TotalAV BUILTIN\Users:(OI)(CI)(F) Everyone:(OI)(CI)(F) NT SERVICE\TrustedInstaller:(I)(F) NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(RX) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(I)(OI)(CI)(IO)(F) =====[ Timeline of disclosure ]=============================================== 06/28/2018 - Vendor was informed of the vulnerability, but the contact form on the site does not seem to work. 07/12/2018 - The vendor was contacted again but did not respond. 07/12/2018 - CVE assigned [2] 07/12/2018 - Advisory publication date. =====[ Thanks & Acknowledgements ]============================================ - Tempest Security Intelligence / Tempest's Pentest Team [3] =====[ References ]=========================================================== [1] - https://www.totalav.com/ [2] - https://cve.mitre.org/cgi-bin/cvename.cgi?name= <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5313>CVE-2018-7535 [3] http://www.tempest.com.br/ -- Filipe Oliveira Tempest Security Intelligence _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists