Vulners
Lucene search
Avast Secure Browser 76.0.1659.101 Local Privilege Escalation Vulnerability
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | CVE-2019-17190 | 27 Jan 202021:37 | – | circl |
 | Avast Secure Browser Local Elevation of Privilege Vulnerability | 23 Mar 202000:00 | – | cnvd |
 | CVE-2019-17190 | 27 Jan 202015:23 | – | cve |
 | CVE-2019-17190 | 27 Jan 202015:23 | – | cvelist |
 | EUVD-2019-7622 | 7 Oct 202500:30 | – | euvd |
 | CVE-2019-17190 | 27 Jan 202016:15 | – | nvd |
 | Privilege escalation | 27 Jan 202016:15 | – | prion |
 | PT-2020-9879 · Avast · Avast Secure Browser | 27 Jan 202000:00 | – | ptsecurity |
 | CVE-2019-17190 | 22 May 202510:02 | – | redhatcve |
Avast Secure Browser 76.0.1659.101
Author: Silton Santos
Tempest Security Intelligence - Recife, Pernambuco - Brazil
=====[ Table of
Contents]=====================================================
* Overview
* Detailed description
* Timeline of disclosure
* Thanks & Acknowledgements
* References
=====[ Vulnerability
Information]=============================================
* Class: Improper Access Control[CWE-284][1]
* CVE-2019-17190[2]
=====[
Overview]======================================================================
* System affected : Avast Secure Browser [3]
* Software Version : 76.0.1659.101
* Impact : An unprivileged user could obtain SYSTEM privileges.
=====[ Detailed
description]==========================================================
A Local Privilege Escalation issue was discovered in Avast Secure Browser
76.0.1659.101.
The vulnerability is due to an insecure ACL set by the
AvastBrowserUpdate.exe (which is
running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new
updates.
When the update check is triggered, the elevated process cleans the ACL of
the Update.ini
file in %PROGRAMDATA%\Avast Software\Browser\Update\ and sets all
privileges to group Everyone.
Because any low-privileged user can create, delete, or modify the
Update.ini file stored in this
location, an attacker with low privileges can create a hard link named
Update.ini in this folder,
and make it point to a file writable by NT AUTHORITY\SYSTEM. Once
AvastBrowserUpdate.exe is
triggered by the update check functionality, the DACL is set to a
misconfigured value on the
crafted Update.ini and, consequently, to the target file that was
previously not writable by the
low-privileged attacker.
More Details:
https://sidechannel.tempestsi.com/vulnerability-in-avast-secure-browser-enables-escalation-of-privileges-on-windows-eb770d196c45
=====[ Timeline of
disclosure]=======================================================
* 23/Aug/2019 — Responsible disclosure is started with Avast;
* 26/Aug/2019 — Vulnerability analysis is started;
* 15/Sep/2019 — Vulnerability is confirmed by Avast which initiates
correction;
* 20/Dec/2019 — Avast informs that it is performing the final checks and
that the patch is scheduled for 20/Jan/2020;
* 20/Dec/2019 — Avast thanks all the support provided and asks for a name
to carry out a public thank you;
* 20/Jan/2020 — Avast communicates that there is a public release with the
fixed vulnerability;
* 21/Jan/2020 — Avast releases a thank you note for all the given support
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 Mar 2020 00:00Current
0.3Low risk
Vulners AI Score0.3
CVSS 27.2
CVSS 3.17.8
EPSS0.00124