============================================ Tested on OS: Microsoft Windows XP Professional 5.1.2600 Service Pack 2 2600 ============================================ Vulnerable Software: Avira Personal Tested version of Avira: ============================================ Product version 10.2.0.719 25.10.2012 Search engine 8.02.12.38 07.05.2013 Virus definition file 7.11.77.54 08.05.2013 Control Center 10.00.12.31 21.07.2011 Config Center 10.00.13.20 21.07.2011 Luke Filewalker 10.03.00.07 21.07.2011 AntiVir Guard 10.00.01.59 21.07.2011 Filter 10.00.26.09 21.07.2011 AntiVir WebGuard 10.01.09.00 09.05.2011 Scheduler 10.00.00.21 21.04.2011 Updater 10.00.00.39 21.07.2011 ============================================ Vulnerability: Privilegie Escalation ============================================ Proof Of concept: If the attacker somehow manages upload any malicious files to root directory of OS installed disk (%homedrive%) in the following manner: C:\Program.exe (In example attacker is limited to execute any file from webserver but is able upload any file to %homedrive%\ ) On next reboot this can be used to escalate privileges to NT_AUTHORITY/SYSTEM due vulnerability in Avira Personal(if that machine uses Avira Personal). ============================================ The main trouble begins from here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425%28v=vs.85%29.aspx Parameters lpApplicationName [in, optional] c:\program.exe files\sub dir\program name c:\program files\sub.exe dir\program name c:\program files\sub dir\program.exe name c:\program files\sub dir\program name.exe ============================================ For this purposes i have used the following AutoIT script (then compiled it to 32 bit win32 binary) While 1 sleep(18000);//sleep for 18 seconds for fun MsgBox(64,"","Blah!" & @CRLF & "Woot: We got=> " & @UserName);//display the current user ShellExecute("cmd.exe");//launch cmd.exe ;Enjoy WEnd and uploaded it as Program.exe to C:\ Then simply rebooted machine. Here is result on next reboot: See escal1.PNG http://i052.radikal.ru/1305/69/7bb1ce0323ec.png http://s56.radikal.ru/i152/1305/03/10bc43883c89.png In eg: this vuln can be used in the following situations: http://packetstormsecurity.com/files/121168/MiniWeb-File-Upload-Directory-Traversal.html Attacker is able to upload arbitrary files to system but he/she is unable to execute it. ON next reboot attacker can escalate privileges to SYSTEM privilegie due vulnerability in Avira Personal. This is also possible disable Realtime protection(Guard) of Avira personal in the following way on next reboot: =========================Compile as program.exe and place to %homedrive%\==================== While 1 sleep(3600*1000); WEnd ====Start your another troyan downloader and download/execute known malware to Avira========== ================================================ KUDOSSSSSSS ================================================ packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com osvdb.com websecurity.com.ua 1337day.com itsecuritysolutions.org waraxe.us exploit-db.com ================================================ /AkaStep