Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Avira Free Security Suite 2019 - Exploiting Arbitrary File Writes for Local Elevation of Privilege

Related Vulnerabilities: CVE-2019-11396  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="0"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#1">By Date</a>
<a href="2"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="0"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#1">By Thread</a>
<a href="2"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">Avira Free Security Suite 2019 - Exploiting Arbitrary File Writes for Local Elevation of Privilege</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: filipe &lt;filipe.xavier () tempest com br&gt;


<em>Date</em>: Wed, 31 Jul 2019 17:33:33 -0300


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">=====[ Tempest Security Intelligence - ADV-01/2019
]==========================

Avira Free Security Suite 2019 - Software Updater v2.0.6.13175
Author: Silton Santos
Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of
Contents]=====================================================

* Overview
* Detailed description
* Timeline of disclosure
* Thanks &amp; Acknowledgements
* References

=====[ Vulnerability
Information]=============================================

* Class: Improper Access Control[CWE-284][1]
* CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
* CVE-2019-11396[2]

=====[
Overview]==============================================================

* System affected : Avira Free Security Suite 2019 - Software Updater[3].
* Software Version : 2.0.6.13175 (other versions may also be affected).
* Impact : An unprivileged user could obtain SYSTEM privileges.

=====[ Detailed
description]==================================================

The permissive access rights on the SoftwareUpdater folder (files /
folders)
are incompatible with the privileged file manipulation performed by the
product.
Files can be created that can be used by an unprivileged user to obtain
SYSTEM privileges.
Arbitrary file creation can be achieved by abusing the SwuConfig.json
file creation.
An unprivileged user can replace these files by symbolic links to
arbitrary files.
When an update occurs, a privileged service creates a file and sets its
access rights,
offering write access to the Everyone group in any directory.

More Details:
<a rel="nofollow" href="https://medium.com/sidechannel-br/vulnerabilidade-no-avira-security-suite-pode-levar-%C3%A0-escala%C3%A7%C3%A3o-de-privil%C3%A9gios-no-windows-71964236c077">https://medium.com/sidechannel-br/vulnerabilidade-no-avira-security-suite-pode-levar-%C3%A0-escala%C3%A7%C3%A3o-de-privil%C3%A9gios-no-windows-71964236c077</a>


=====[ Timeline of
disclosure]===============================================

15/Apr/2019 - Responsible disclosure initiated with the vendor.
16/Apr/2019&nbsp;- Vendor requested more details about the exploitation.
21/Apr/2019&nbsp;- CVE assigned (reserved) CVE-2019-11396.
21/Apr/2019&nbsp;- Email sent to the vendor requesting an update on the fix
status.
23/Apr/2019 - The vendor has reproduced the vulnerability and works to
correct it.
21/May/2019 - The vulnerability has been fixed and the vendor has
informed that the release will be done in one week.
28/May/2019 - The vendor reported that the vulnerability had been fixed
and that the update was public.
o4/Jun/2019 - Email sent to the vendor stating that the vulnerability
has not been fixed.
18/Jun/2019 - Avira reported that the vulnerability has been fixed.
19/Jun/2019 - Email sent to the vendor stating that the vulnerability
has not been fixed.
03/Jul/2019 - Avira replied that he had identified the real problem and
was going to try to correct it again.
08/Jul/2019 - The vendor fixed the vulnerability.

=====[ Thanks &amp;
Acknowledgements]============================================

- Tempest Security Intelligence [4]

=====[ References
]===========================================================

[1] <a rel="nofollow" href="https://cwe.mitre.org/data/definitions/284.html">https://cwe.mitre.org/data/definitions/284.html</a>

[2] <a rel="nofollow" href="https://cwe.mitre.org/data/definitions/284.html">https://cwe.mitre.org/data/definitions/284.html</a>

[3] <a rel="nofollow" href="https://www.avira.com/pt-br/free-security-suite">https://www.avira.com/pt-br/free-security-suite</a>

[4] <a rel="nofollow" href="http://www.tempest.com.br">http://www.tempest.com.br</a>

=====[ EOF
]====================================================================

</pre><p><strong>Attachment:
<a href="att-1/Avira-adv-CVE-2019-11396.txt"><tt>Avira-adv-CVE-2019-11396.txt</tt></a></strong>

<em>Description:</em> </p>
<pre style="margin: 0em;">
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="0"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#1">By Date</a>
<a href="2"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="0"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#1">By Thread</a>
<a href="2"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>Avira Free Security Suite 2019 - Exploiting Arbitrary File Writes for Local Elevation of Privilege</strong> <em>filipe (Aug 02)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started