[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CACxCFqeKbM0Aw7x-uDac+nkW1QY1LBg32UkwHSXJUQsWdPVWEg@mail.gmail.com>
Date: Tue, 17 Mar 2020 13:34:33 -0300
From: Silton Renato Pereira dos Santos <silton.santos@...pest.com.br>
To: fulldisclosure@...lists.org
Subject: [FD] LPE in Avast Secure Browser
=====[ Tempest Security Intelligence - ADV-01/2020
]==========================
Avast Secure Browser 76.0.1659.101
Author: Silton Santos
Tempest Security Intelligence - Recife, Pernambuco - Brazil
=====[ Table of
Contents]=====================================================
* Overview
* Detailed description
* Timeline of disclosure
* Thanks & Acknowledgements
* References
=====[ Vulnerability
Information]=============================================
* Class: Improper Access Control[CWE-284][1]
* CVE-2019-17190[2]
=====[
Overview]======================================================================
* System affected : Avast Secure Browser [3]
* Software Version : 76.0.1659.101
* Impact : An unprivileged user could obtain SYSTEM privileges.
=====[ Detailed
description]==========================================================
A Local Privilege Escalation issue was discovered in Avast Secure Browser
76.0.1659.101.
The vulnerability is due to an insecure ACL set by the
AvastBrowserUpdate.exe (which is
running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new
updates.
When the update check is triggered, the elevated process cleans the ACL of
the Update.ini
file in %PROGRAMDATA%\Avast Software\Browser\Update\ and sets all
privileges to group Everyone.
Because any low-privileged user can create, delete, or modify the
Update.ini file stored in this
location, an attacker with low privileges can create a hard link named
Update.ini in this folder,
and make it point to a file writable by NT AUTHORITY\SYSTEM. Once
AvastBrowserUpdate.exe is
triggered by the update check functionality, the DACL is set to a
misconfigured value on the
crafted Update.ini and, consequently, to the target file that was
previously not writable by the
low-privileged attacker.
More Details:
https://sidechannel.tempestsi.com/vulnerability-in-avast-secure-browser-enables-escalation-of-privileges-on-windows-eb770d196c45
=====[ Timeline of
disclosure]=======================================================
* 23/Aug/2019 — Responsible disclosure is started with Avast;
* 26/Aug/2019 — Vulnerability analysis is started;
* 15/Sep/2019 — Vulnerability is confirmed by Avast which initiates
correction;
* 20/Dec/2019 — Avast informs that it is performing the final checks and
that the patch is scheduled for 20/Jan/2020;
* 20/Dec/2019 — Avast thanks all the support provided and asks for a name
to carry out a public thank you;
* 20/Jan/2020 — Avast communicates that there is a public release with the
fixed vulnerability;
* 21/Jan/2020 — Avast releases a thank you note for all the given support
=====[ Thanks &
Acknowledgements]====================================================
- Tempest Security Intelligence [4]
=====[ References
]===========================================================
[1] https://cwe.mitre.org/data/definitions/284.html
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17190
[3] https://www.avast.com/pt-br/index#pc
[4] http://www.tempest.com.br
=====[ EOF
]====================================================================
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists