A high-severity security flaw has been disclosed in N-Able’s Acquire Command Agent that could be exploited by a local unprivileged attacker to acquire Procedure privileges.
Tracked as CVE-2023-27470 (CVSS rating: 8.8), the issue relates to a Time-of-Test to Time-of-Use (TOCTOU) race ailment vulnerability, which, when successfully exploited, could be leveraged to delete arbitrary documents on a Windows technique.
The security shortcoming, which impacts variations 7..41.1141 and prior, has been tackled in model 7..43 produced on March 15, 2023, following liable disclosure by Mandiant on February 27, 2023.
Time-of-Look at to Time-of-Use falls beneath a class of software package flaws whereby a method checks the condition of a useful resource for a distinct worth, but that worth improvements in advance of it can be actually employed, correctly invalidating the effects of the check out.
An exploitation of these types of a flaw can outcome in a decline of integrity and trick the system into carrying out actions that it shouldn’t if not, permitting a menace actor to get obtain to if not unauthorized assets.
“This weak spot can be security-suitable when an attacker can impact the condition of the resource involving check and use,” in accordance to a description of the Popular Weak point Enumeration (CWE) technique. “This can take place with shared means these as files, memory, or even variables in multithreaded packages.”
In accordance to the Google-owned risk intelligence business, CVE-2023-27470 arises from a TOCTOU race affliction in the Acquire Handle Agent (BASupSrvcUpdater.exe) among logging many file deletion situations (e.g., documents named aaa.txt and bbb.txt) and every single delete action from a unique folder named “C:ProgramDataGetSupportService_N-CentralPushUpdates.”
“To place it simply, whilst BASupSrvcUpdater.exe logged the deletion of aaa.txt, an attacker could swiftly replace the bbb.txt file with a symbolic link, redirecting the process to an arbitrary file on the process,” Mandiant security researcher Andrew Oliveau claimed.
Upcoming WEBINARIdentity is the New Endpoint: Mastering SaaS Security in the Modern day Age
Dive deep into the potential of SaaS security with Maor Bin, CEO of Adaptive Defend. Find why id is the new endpoint. Protected your spot now.
Supercharge Your Expertise
“This motion would trigger the process to unintentionally delete information as NT AUTHORITYSYSTEM.”
Even extra troublingly, this arbitrary file deletion could be weaponized to protected an elevated Command Prompt by having advantage of a race condition attack focusing on the Windows installer’s rollback functionality, perhaps major to code execution.
“Arbitrary file deletion exploits are no for a longer time minimal to [denial-of-service attacks and can indeed serve as a means to achieve elevated code execution,” Oliveau said, adding such exploits can be combined with “MSI’s rollback functionality to introduce arbitrary files into the system.”
“A seemingly innocuous process of logging and deleting events within an insecure folder can enable an attacker to create pseudo-symlinks, deceiving privileged processes into running actions on unintended files.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some pieces of this short article are sourced from: