N-Able's Take Control Agent Vulnerability Exposes Windows Systems to Privilege Escalation

Sep 14, 2023THNVulnerability / Hacking

A high-severity information flaw has been disclosed successful N-Able's Take Control Agent that could beryllium exploited by a section unprivileged attacker to summation SYSTEM privileges.

Tracked arsenic CVE-2023-27470 (CVSS score: 8.8), the issue relates to a Time-of-Check to Time-of-Use (TOCTOU) contention information vulnerability, which, erstwhile successfully exploited, could beryllium leveraged to delete arbitrary files connected a Windows system.

The information shortcoming, which impacts versions 7.0.41.1141 and prior, has been addressed successful mentation 7.0.43 released connected March 15, 2023, pursuing liable disclosure by Mandiant connected February 27, 2023.

Time-of-Check to Time-of-Use falls nether a class of bundle flaws wherein a programme checks the authorities of a assets for a circumstantial value, but that worth changes earlier it's really used, efficaciously invalidating the results of the check.

An exploitation of specified a flaw tin effect successful a nonaccomplishment of integrity and instrumentality the programme into performing actions that it shouldn't otherwise, permitting a menace histrion to summation entree to different unauthorized resources.

"This weakness tin beryllium security-relevant erstwhile an attacker tin power the authorities of the assets betwixt cheque and use," according to a description of the Common Weakness Enumeration (CWE) system. "This tin hap with shared resources specified arsenic files, memory, oregon adjacent variables successful multithreaded programs."

According to the Google-owned menace quality firm, CVE-2023-27470 arises from a TOCTOU contention information successful the Take Control Agent (BASupSrvcUpdater.exe) betwixt logging aggregate record deletion events (e.g., files named aaa.txt and bbb.txt) and each delete enactment from a circumstantial folder named "C:\ProgramData\GetSupportService_N-Central\PushUpdates."

"To enactment it simply, portion BASupSrvcUpdater.exe logged the deletion of aaa.txt, an attacker could swiftly regenerate the bbb.txt record with a symbolic link, redirecting the process to an arbitrary record connected the system," Mandiant information researcher Andrew Oliveau said.

Dive heavy into the aboriginal of SaaS information with Maor Bin, CEO of Adaptive Shield. Discover wherefore individuality is the caller endpoint. Secure your spot now.

"This enactment would origin the process to unintentionally delete files arsenic NT AUTHORITY\SYSTEM."

Even much troublingly, this arbitrary record deletion could beryllium weaponized to unafraid an elevated Command Prompt by taking vantage of a race information attack targeting the Windows installer's rollback functionality, perchance starring to codification execution.

"Arbitrary record deletion exploits are nary longer constricted to [denial-of-service attacks and tin so service arsenic a means to execute elevated codification execution," Oliveau said, adding specified exploits tin beryllium combined with "MSI's rollback functionality to present arbitrary files into the system."

"A seemingly innocuous process of logging and deleting events wrong an insecure folder tin alteration an attacker to make pseudo-symlinks, deceiving privileged processes into moving actions connected unintended files."

Found this nonfiction interesting? Follow america connected Twitter  and LinkedIn to work much exclusive contented we post.