Even security solutions are exposed to vulnerability exploitation. Hacking course specialists from Tempest revealed the discovery of a security flaw in the Avast Secure Browser (ASB) update process that, if exploited, would lead to a privilege escalation on the affected system.
Apparently, the flaw exists because the privileged process responsible for browser updates performs a log operation on a file, which redefines its permissions, granting broad privileges to any user. The operation is redirected to an arbitrary link using a hardlink, so that the privileged process begins to operate with the redirected file, redefining its privileges.
What does the term hardlink mean? According to the members of the hacking course, these are symbolic links that refer to a representation of the contents of the file on the NTFS system by other directories on the same volume. These links can be created very easily using mklink, a tool included in almost any recent version of the Windows system.
There are two conditions for creating hardlinks using the mentioned tool:
- The user requires recording privileges on the target file
- The user requires to write privileges in the directory where the hardlink will be created
The first condition would eliminate the possibility of using hardlinks in exploits to impact privilege escalation, bearing in mind that, in case the user already has permission to write to the target file, it would be sufficient to overwrite it with the desired content.
The instructors in the hacking course discovered that, when the NTOpenFile function opens the file, used during the implementation of the CreateHardLink API, the value FILE_WRITE_ATTRIBUTES, is sent as an attribute of the object, identifying the need to register privileges during the creation of the hardlink. In addition, when the NTOpenFile function is called, the FILE_WRITE_ATTRIBUTES flag can be deleted, so it is possible to create a hardlink with read-only permission.
For their proof-of-concept, researchers conducted an inspection with AccessEnum on some ASB-linked directories to find files with excessive permissions:
As we can see, one of the high-privileged files is Update.ini, located at C:\ProgramData\AVAST SOFTWARE\Browser\Update. The above image also shows that any user can take full control over the mentioned file.
From this directory, some filters were created that allowed to monitor any operation through a privileged process with Update.ini; then you can see the AvastBrowserUpdate.exe process, which performs some operations with the target file, mention the experts of the hacking course:
Subsequently, Update.ini was replaced with a hardlink pointing to C:\Program Files\Avast Software\Browser\Update\220.127.116.11\psmachine.dll to start the upgrade process. In this way, the permissions of psmachine.dll were redefined to grant full control to any user:
To complete privilege escalation, the contents of the DLL were replaced by one that returns a shell that was personified with the NT AUTHORITY-SYSTEM user.
According to the researchers, there is still no solution to this vulnerability, although no cases of exploitation have been detected in real-world scenarios. The International Institute of Cyber Security (IICS) recommends that administrators of vulnerable deployments remain aware of any updates or recommendations issued by Avast.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.