Focus on source code security and collect the latest information at home and abroad!
Compiled by: Code Guard
A high-severity vulnerability (CVE-2023-27470) exists in N-Able's Take Control Agent, which can be used by a local low-privileged attacker to gain Windows system privileges.
The vulnerability has a CVSS score of 8.8 and is related to the TOCTOU conditional race vulnerability. If successfully exploited, it can be used to delete arbitrary files on Windows systems. This vulnerability affects versions 7.0.41.1141 and below and was fixed in 7.0.43 on March 15, 2023.
The TOCTOU vulnerability occurs when a program checks the resource status of a specific value but the value is modified before it is actually used, causing the check to be invalid. Exploitation of such vulnerabilities can result in a loss of integrity and trick a program into performing actions it should not, allowing a threat actor to gain access to unauthorized resources.
CWE Systems notes, "The vulnerability may be security-related when an attacker can affect the state of a resource between inspection and use. This can occur through shared resources such as files, memory, or even variables in multi-threaded programs. Condition."
Mandiant mentioned that CVE-2023-27470 is caused by logging multiple conditional deletion events (such as files named aaa.txt and bbb.txt) and a specific file named "C:\ProgramData\GetSupportService_N-Central\PushUpdates." This is caused by a race condition in the Take Control Agent (BASupSrvcUpdater.exe) between each deletion operation of the folder. In short, when BASupSrvcUpdater.exe logs the deletion of aaa.txt, an attacker can replace the bbb.txt file with a symbolic link, thereby redirecting the process to an arbitrary file on the system. This operation can cause the process to inadvertently delete files in NT AUTHORITY\SYSTEM.
To make matters more troubling, this arbitrary file deletion can be used to protect an elevated Command Prompt by exploiting a conditional race attack against the Windows Installer rollback feature, potentially leading to code execution consequences. Arbitrary file deletion exploits are no longer limited to denial of service attacks and can occur as a result of elevated code execution. Oliveau said that this type of exploit can be combined with "MSI's rollback function to introduce arbitrary files into the system."
Seemingly innocuous logging and deletion event processes in unsecured folders could allow an attacker to create pseudo symbolic links that trick an elevated process into running operations on unintended files.
Code Guard trial address: https://codesafe.qianxin.com
Open source guard trial address: https://oss.qianxin.com
Recommended reading
New Windows?! Apple fixes new 0day that has been exploited
Fake 0day PoC on GitHub pushes Windows and Linux malware
Zoom fixes multiple high-severity vulnerabilities on Windows and MacOS platforms
Original link
https://thehackernews.com/2023/09/n-ables-take-control-agent.html
Title image: Pixabay License
This article was compiled by Qi Anxin and does not represent the views of Qi Anxin. Please indicate "Reprinted from Qianxin Code Guard https://codesafe.qianxin.com" when reprinting.
Qi'anxin Code Safe (codesafe)
The first domestic product line focusing on software development security.
If you think it’s good, just click “Looking” or “Like”~