Avira Personal Privilege Escalation

2013-05-12T00:00:00
ID PACKETSTORM:121591
Type packetstorm
Reporter Akastep
Modified 2013-05-12T00:00:00

Description

                                        
                                            `============================================  
Tested on OS:  
Microsoft Windows XP Professional 5.1.2600 Service Pack 2 2600  
============================================  
Vulnerable Software: Avira Personal  
Tested version of Avira:  
============================================  
Product version 10.2.0.719 25.10.2012  
Search engine 8.02.12.38 07.05.2013  
Virus definition file 7.11.77.54 08.05.2013  
Control Center 10.00.12.31 21.07.2011  
Config Center 10.00.13.20 21.07.2011  
Luke Filewalker 10.03.00.07 21.07.2011  
AntiVir Guard 10.00.01.59 21.07.2011  
Filter 10.00.26.09 21.07.2011  
AntiVir WebGuard 10.01.09.00 09.05.2011  
Scheduler 10.00.00.21 21.04.2011  
Updater 10.00.00.39 21.07.2011  
============================================  
Vulnerability: Privilegie Escalation  
============================================  
  
  
Proof Of concept:  
If the attacker somehow manages upload any malicious files to root directory of OS installed disk (%homedrive%) in the following manner:  
C:\Program.exe  
(In example attacker is limited to execute any file from webserver but is able upload any file to %homedrive%\ )  
  
On next reboot this can be used to escalate privileges to NT_AUTHORITY/SYSTEM due vulnerability in Avira Personal(if that machine uses Avira Personal).  
============================================  
The main trouble begins from here:  
  
http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425%28v=vs.85%29.aspx  
  
Parameters  
  
lpApplicationName [in, optional]  
  
c:\program.exe files\sub dir\program name  
c:\program files\sub.exe dir\program name  
c:\program files\sub dir\program.exe name  
c:\program files\sub dir\program name.exe  
  
============================================  
  
  
  
For this purposes i have used the following AutoIT script (then compiled it to 32 bit win32 binary)  
  
  
While 1  
sleep(18000);//sleep for 18 seconds for fun  
MsgBox(64,"","Blah!" & @CRLF & "Woot: We got=> " & @UserName);//display the current user  
ShellExecute("cmd.exe");//launch cmd.exe  
;Enjoy  
WEnd  
  
and uploaded it as Program.exe to C:\  
  
Then simply rebooted machine.  
  
  
Here is result on next reboot:  
  
See escal1.PNG  
http://i052.radikal.ru/1305/69/7bb1ce0323ec.png  
  
http://s56.radikal.ru/i152/1305/03/10bc43883c89.png  
  
In eg: this vuln can be used in the following situations:  
  
http://packetstormsecurity.com/files/121168/MiniWeb-File-Upload-Directory-Traversal.html  
  
Attacker is able to upload arbitrary files to system but he/she is unable to execute it.  
ON next reboot attacker can escalate privileges to SYSTEM privilegie due vulnerability in Avira Personal.  
  
  
This is also possible disable Realtime protection(Guard) of Avira personal in the following way on next reboot:  
  
  
=========================Compile as program.exe and place to %homedrive%\====================  
While 1  
sleep(3600*1000);  
WEnd  
====Start your another troyan downloader and download/execute known malware to Avira==========  
  
  
================================================  
KUDOSSSSSSS  
================================================  
packetstormsecurity.org  
packetstormsecurity.com  
packetstormsecurity.net  
securityfocus.com  
cxsecurity.com  
security.nnov.ru  
securtiyvulns.com  
securitylab.ru  
secunia.com  
securityhome.eu  
exploitsdownload.com  
osvdb.com  
websecurity.com.ua  
1337day.com  
itsecuritysolutions.org  
waraxe.us  
exploit-db.com  
  
================================================  
  
/AkaStep  
  
  
  
  
  
  
  
  
`