Avast Secure Browser 76.0.1659.101 Local Privilege Escalation ≈ Packet Storm

=====[ Tempest Security Intelligence – ADV-01/2020

Avast Secure Browser 76.0.1659.101
Author: Silton Santos
Tempest Security Intelligence – Recife, Pernambuco – Brazil

=====[ Table of

* Overview
* Detailed description
* Timeline of disclosure
* Thanks & Acknowledgements
* References

=====[ Vulnerability

* Class: Improper Access Control[CWE-284][1]
* CVE-2019-17190[2]


* System affected : Avast Secure Browser [3]
* Software Version : 76.0.1659.101
* Impact : An unprivileged user could obtain SYSTEM privileges.

=====[ Detailed

A Local Privilege Escalation issue was discovered in Avast Secure Browser
The vulnerability is due to an insecure ACL set by the
AvastBrowserUpdate.exe (which is
running as NT AUTHORITYSYSTEM) when AvastSecureBrowser.exe checks for new
When the update check is triggered, the elevated process cleans the ACL of
the Update.ini
file in %PROGRAMDATA%Avast SoftwareBrowserUpdate and sets all
privileges to group Everyone.
Because any low-privileged user can create, delete, or modify the
Update.ini file stored in this
location, an attacker with low privileges can create a hard link named
Update.ini in this folder,
and make it point to a file writable by NT AUTHORITYSYSTEM. Once
AvastBrowserUpdate.exe is
triggered by the update check functionality, the DACL is set to a
misconfigured value on the
crafted Update.ini and, consequently, to the target file that was
previously not writable by the
low-privileged attacker.

More Details:

=====[ Timeline of

* 23/Aug/2019 — Responsible disclosure is started with Avast;
* 26/Aug/2019 — Vulnerability analysis is started;
* 15/Sep/2019 — Vulnerability is confirmed by Avast which initiates
* 20/Dec/2019 — Avast informs that it is performing the final checks and
that the patch is scheduled for 20/Jan/2020;
* 20/Dec/2019 — Avast thanks all the support provided and asks for a name
to carry out a public thank you;
* 20/Jan/2020 — Avast communicates that there is a public release with the
fixed vulnerability;
* 21/Jan/2020 — Avast releases a thank you note for all the given support

=====[ Thanks &

– Tempest Security Intelligence [4]

=====[ References

[1] https://cwe.mitre.org/data/definitions/284.html

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17190

[3] https://www.avast.com/pt-br/index#pc

[4] http://www.tempest.com.br

=====[ EOF

Source link

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *