Total AV 4.6.19 Insecure Permissions

`=====[ Tempest Security Intelligence - ADV-23/2018 ]===  
  
Total AV 4.1.7 ~ 4 .6.19 - Insecure Permissions  
-------------------------------------------------------  
Author:  
- Filipe Xavier Oliveira: < filipe.xavier () tempest.com.br  
<http://tempest.com.br/>  
  
=====[ Table of Contents  
]=====================================================  
  
* Overview   
* Detailed description   
* Timeline of disclosure   
* Thanks & Acknowledgements   
* References  
  
=====[ Overview  
]==============================================================  
  
* System affected : Total AV [1]  
* Software Version : 4.1.7 ~ 4 .6.19. Other versions or models may also  
be affected.  
* Impact : A malware could overwrite originals files to do persistence  
or elevate privileges, because the installation folder gives full access  
to any user on the system.  
  
=====[ Detailed description  
]==================================================  
  
A vulnerability allows local attackers to escalate privilege on TotalAV  
because of weak "C:\Program Files\TotalAV" permissions. The specific  
flaw exists within the access control that is set and modified during  
the installation of the product. The product sets weak access control  
restrictions. An attacker can leverage this vulnerability to execute  
arbitrary code under the context of Administrator, the IUSR account, or  
SYSTEM.  
  
The TotalAV installation folder permissions:  
  
C:\Program Files>icacls TotalAV  
  
TotalAV BUILTIN\Users:(OI)(CI)(F)  
Everyone:(OI)(CI)(F)  
NT SERVICE\TrustedInstaller:(I)(F)  
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)  
NT AUTHORITY\SYSTEM:(I)(F)  
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)  
BUILTIN\Administrators:(I)(F)  
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)  
BUILTIN\Users:(I)(RX)  
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)  
CREATOR OWNER:(I)(OI)(CI)(IO)(F)  
  
=====[ Timeline of disclosure  
]===============================================  
  
06/28/2018 - Vendor was informed of the vulnerability, but the contact  
form on the site does not seem to work.  
  
07/12/2018 - The vendor was contacted again but did not respond.  
  
07/12/2018 - CVE assigned [2]   
  
07/12/2018 - Advisory publication date.  
  
=====[ Thanks & Acknowledgements  
]============================================  
  
- Tempest Security Intelligence / Tempest's Pentest Team [3]  
  
=====[ References  
]===========================================================  
  
[1] - https://www.totalav.com/  
[2] - https://cve.mitre.org/cgi-bin/cvename.cgi?name=  
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5313>CVE-2018-7535  
  
[3] http://www.tempest.com.br/  
  
--   
Filipe Oliveira  
Tempest Security Intelligence  
  
  
  
`