lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <23837793-896c-47b7-4ce4-666f38decfe3@tempest.com.br>
Date: Wed, 31 Jul 2019 17:33:33 -0300
From: filipe <filipe.xavier@...pest.com.br>
To: fulldisclosure@...lists.org
Subject: [FD] Avira Free Security Suite 2019 - Exploiting Arbitrary File
 Writes for Local Elevation of Privilege

=====[ Tempest Security Intelligence - ADV-01/2019
]==========================

Avira Free Security Suite 2019 - Software Updater v2.0.6.13175
Author: Silton Santos
Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of
Contents]=====================================================

* Overview
* Detailed description
* Timeline of disclosure
* Thanks & Acknowledgements
* References

=====[ Vulnerability
Information]=============================================

* Class: Improper Access Control[CWE-284][1]
* CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
* CVE-2019-11396[2]

=====[
Overview]==============================================================

* System affected : Avira Free Security Suite 2019 - Software Updater[3].
* Software Version : 2.0.6.13175 (other versions may also be affected).
* Impact : An unprivileged user could obtain SYSTEM privileges.

=====[ Detailed
description]==================================================

The permissive access rights on the SoftwareUpdater folder (files /
folders)
are incompatible with the privileged file manipulation performed by the
product.
Files can be created that can be used by an unprivileged user to obtain
SYSTEM privileges.
Arbitrary file creation can be achieved by abusing the SwuConfig.json
file creation.
An unprivileged user can replace these files by symbolic links to
arbitrary files.
When an update occurs, a privileged service creates a file and sets its
access rights,
offering write access to the Everyone group in any directory.

More Details:
https://medium.com/sidechannel-br/vulnerabilidade-no-avira-security-suite-pode-levar-%C3%A0-escala%C3%A7%C3%A3o-de-privil%C3%A9gios-no-windows-71964236c077


=====[ Timeline of
disclosure]===============================================

15/Apr/2019 - Responsible disclosure initiated with the vendor.
16/Apr/2019 - Vendor requested more details about the exploitation.
21/Apr/2019 - CVE assigned (reserved) CVE-2019-11396.
21/Apr/2019 - Email sent to the vendor requesting an update on the fix
status.
23/Apr/2019 - The vendor has reproduced the vulnerability and works to
correct it.
21/May/2019 - The vulnerability has been fixed and the vendor has
informed that the release will be done in one week.
28/May/2019 - The vendor reported that the vulnerability had been fixed
and that the update was public.
o4/Jun/2019 - Email sent to the vendor stating that the vulnerability
has not been fixed.
18/Jun/2019 - Avira reported that the vulnerability has been fixed.
19/Jun/2019 - Email sent to the vendor stating that the vulnerability
has not been fixed.
03/Jul/2019 - Avira replied that he had identified the real problem and
was going to try to correct it again.
08/Jul/2019 - The vendor fixed the vulnerability.

=====[ Thanks &
Acknowledgements]============================================

- Tempest Security Intelligence [4]

=====[ References
]===========================================================

[1] https://cwe.mitre.org/data/definitions/284.html

[2] https://cwe.mitre.org/data/definitions/284.html

[3] https://www.avira.com/pt-br/free-security-suite

[4] http://www.tempest.com.br

=====[ EOF
]====================================================================


View attachment "Avira-adv-CVE-2019-11396.txt" of type "text/plain" (3241 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ