The next time Avira update service is run, it will import this malicious DLL, inheriting the permission of the process that imported it- NT AUTHORITY \ SYSTEM- (image 7). Image 6: file permissions createdOnce control over the api-ms-win-core-fibers-l1–1–1.DLL file is complete, it is possible to overwrite its contents with a malicious DLL in order to execute arbitrary code. Image 6 shows the already created file with all possible permissions in the chosen directory.
Avira security suite windows 10 software#
Image 5: symbolic link referencing the json file.Īfter the symbolic links have been created, it is necessary to wait for Avira to try to create SwuConfig.json again - which will happen after a new Software Updater has been run. Image 5 shows the creation of the symbolic link within Object Manager. The reparse point to this NTFS junction must be manipulated so that the Object Manager Symbolic Link named SwuConfig.json is queried.įor the simultaneous creation of these two symbolic links, the researchers used the CreateSymLink tool. Since there is a folder with the same name, it must be renamed before exploitation in order for the junction to be created without error. To exploit this vulnerability, two types of symbolic links must be created, an Object Manager Symbolic Link named SwuConfig.json pointing to the file C:\Windows\system32\api-ms-win-core -fibers-l1–1–1.DLL, and an NTFS junction inside C:\ProgramData\Avira with the name SoftwareUpdater. Image 3: json file in user directory Image 4: json file permissions on user-controlled folder Image 3 illustrates the moment when the service named Avira.SoftwareUpdater, counting with SYSTEM privileges, handles files in a fully accessible directory, and, in image 4, we can see how the SwuConfig.json file (available at C:\ProgramData\Avira\SoftwareUpdater \) is also fully accessible by any user of the system.
The flaw discovered by the consulting team is present in Avira Software Update, which is a tool designed to automatically update all programs installed on the computer whenever updates are available to “maintain system security”. Exploiting the Avira flaw using Symbolic Links Implemented in the creation of NTFS junctions, Reparse Points can be defined in the creation of a folder however, the directory must be empty, otherwise, the creation of the junction will be unviable since it is not allowed to create folders or files within a folder that already contains Reparse Points. The only requirements for creating these junctions are: reading permission to the referenced directory (“ C:\Windows\System32\sysprep\”) and writing permissions to the directory where the junction will be stored (“ C:\Users\test\Desktop\Link”).Ī highlight in this process lies in the Reparse Points (a “user-defined data collection - whose format is understood by the application that stores the data - and a file system filter, used to interpret the data and process the file”, as per Microsoft documentation). NTFS Mount PointsĪnother symbolic link involved in the research lies in the NTFS Mount Points (NTFS junctions), which allows for creating a mount point for other directories for example, a directory located at “ C:\Windows\System32\sysprep\” could be accessed through a junction located at “ C:\Users\test\Desktop\Link”. The result of this command would be as follows Image 2: Creating a symbolic link in a directory other than DOSDevices. L”Global\\GLOBALROOT\\RPC Control\\Link”, The following image shows the link between the HarddiskVolume1 device and its symbolic link “ C:\” in Object Manager.ĭefineDosDeviceW( DDD_NO_BROADCAST_SYSTEM | DDD_RAW_TARGET_PATH, Object Manager is a Windows component for centralizing and managing internal objects from this operating system, including symbolic links.Īn example of Object Manager Symbolic Link is the volume unit letters on a Windows computer, the C: drive is nothing more than a symbolic link to “ device\HarddiskVolume1”. On Windows, there are several types of symbolic links, but, for a better understanding of the exploit described here, we will restrict the concept to only two types, Object Manager Symbolic Link and NTFS Mount Point (or NTFS Junctions). Symbolic links are a special type of object that contains a reference to another file or folder. The flaw is present in a file named SwuConfig.json, which, by default, has open access and control permissions for all Windows users.īy using as the attack vector an object type present in operating systems named Symbolic Links, the researchers were able to exploit the permissions assigned to the JSON file to deploy a malicious DLL in Windows´ System32 folder. Tempest ́s advisory team recently detected a vulnerability in Avira AntiVirus in its Windows version which, if exploited, could lead to privilege escalation attacks on this system.
0 kommentar(er)
