Privilege escalation vulnerability in Avast Secure Browser allows hacking Windows systems

Even security solutions are exposed to vulnerability exploitation. Hacking course specialists from Tempest revealed the discovery of a security flaw in the Avast Secure Browser (ASB) update process that, if exploited, would lead to a privilege escalation on the affected system.

Apparently, the flaw exists because the privileged process responsible for browser updates performs a log operation on a file, which redefines its permissions, granting broad privileges to any user. The operation is redirected to an arbitrary link using a hardlink, so that the privileged process begins to operate with the redirected file, redefining its privileges.

What does the term hardlink mean? According to the members of the hacking course, these are symbolic links that refer to a representation of the contents of the file on the NTFS system by other directories on the same volume. These links can be created very easily using mklink, a tool included in almost any recent version of the Windows system.

There are two conditions for creating hardlinks using the mentioned tool:

  • The user requires recording privileges on the target file
  • The user requires to write privileges in the directory where the hardlink will be created

The first condition would eliminate the possibility of using hardlinks in exploits to impact privilege escalation, bearing in mind that, in case the user already has permission to write to the target file, it would be sufficient to overwrite it with the desired content.

The instructors in the hacking course discovered that, when the NTOpenFile function opens the file, used during the implementation of the CreateHardLink API, the value FILE_WRITE_ATTRIBUTES, is sent as an attribute of the object, identifying the need to register privileges during the creation of the hardlink. In addition, when the NTOpenFile function is called, the FILE_WRITE_ATTRIBUTES flag can be deleted, so it is possible to create a hardlink with read-only permission.

For their proof-of-concept, researchers conducted an inspection with AccessEnum on some ASB-linked directories to find files with excessive permissions:

SOURCE: Tempest

As we can see, one of the high-privileged files is Update.ini, located at C:\ProgramData\AVAST SOFTWARE\Browser\Update. The above image also shows that any user can take full control over the mentioned file.

From this directory, some filters were created that allowed to monitor any operation through a privileged process with Update.ini; then you can see the AvastBrowserUpdate.exe process, which performs some operations with the target file, mention the experts of the hacking course:

SOURCE: Tempest

Subsequently, Update.ini was replaced with a hardlink pointing to C:\Program Files\Avast Software\Browser\Update\1.5.245.0\psmachine.dll to start the upgrade process. In this way, the permissions of psmachine.dll were redefined to grant full control to any user:

SOURCE: Tempest

To complete privilege escalation, the contents of the DLL were replaced by one that returns a shell that was personified with the NT AUTHORITY-SYSTEM user.

SOURCE: Tempest

According to the researchers, there is still no solution to this vulnerability, although no cases of exploitation have been detected in real-world scenarios. The International Institute of Cyber Security (IICS) recommends that administrators of vulnerable deployments remain aware of any updates or recommendations issued by Avast.