lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 31 Jul 2019 17:33:33 -0300
From: filipe <>
Subject: [FD] Avira Free Security Suite 2019 - Exploiting Arbitrary File
 Writes for Local Elevation of Privilege

=====[ Tempest Security Intelligence - ADV-01/2019

Avira Free Security Suite 2019 - Software Updater v2.0.6.13175
Author: Silton Santos
Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of

* Overview
* Detailed description
* Timeline of disclosure
* Thanks & Acknowledgements
* References

=====[ Vulnerability

* Class: Improper Access Control[CWE-284][1]
* CVE-2019-11396[2]


* System affected : Avira Free Security Suite 2019 - Software Updater[3].
* Software Version : (other versions may also be affected).
* Impact : An unprivileged user could obtain SYSTEM privileges.

=====[ Detailed

The permissive access rights on the SoftwareUpdater folder (files /
are incompatible with the privileged file manipulation performed by the
Files can be created that can be used by an unprivileged user to obtain
SYSTEM privileges.
Arbitrary file creation can be achieved by abusing the SwuConfig.json
file creation.
An unprivileged user can replace these files by symbolic links to
arbitrary files.
When an update occurs, a privileged service creates a file and sets its
access rights,
offering write access to the Everyone group in any directory.

More Details:

=====[ Timeline of

15/Apr/2019 - Responsible disclosure initiated with the vendor.
16/Apr/2019 - Vendor requested more details about the exploitation.
21/Apr/2019 - CVE assigned (reserved) CVE-2019-11396.
21/Apr/2019 - Email sent to the vendor requesting an update on the fix
23/Apr/2019 - The vendor has reproduced the vulnerability and works to
correct it.
21/May/2019 - The vulnerability has been fixed and the vendor has
informed that the release will be done in one week.
28/May/2019 - The vendor reported that the vulnerability had been fixed
and that the update was public.
o4/Jun/2019 - Email sent to the vendor stating that the vulnerability
has not been fixed.
18/Jun/2019 - Avira reported that the vulnerability has been fixed.
19/Jun/2019 - Email sent to the vendor stating that the vulnerability
has not been fixed.
03/Jul/2019 - Avira replied that he had identified the real problem and
was going to try to correct it again.
08/Jul/2019 - The vendor fixed the vulnerability.

=====[ Thanks &

- Tempest Security Intelligence [4]

=====[ References





=====[ EOF

View attachment "Avira-adv-CVE-2019-11396.txt" of type "text/plain" (3241 bytes)

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists