N-Able's Take Control Agent Vulnerability Exposes Windows Systems to Privilege Escalation
15.9.23 Vulnerebility The Hacker News
A high-severity security flaw has been disclosed in N-Able's Take Control Agent that could be exploited by a local unprivileged attacker to gain SYSTEM privileges.
Tracked as CVE-2023-27470 (CVSS score: 8.8), the issue relates to a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability, which, when successfully exploited, could be leveraged to delete arbitrary files on a Windows system.
The security shortcoming, which impacts versions 7.0.41.1141 and prior, has been addressed in version 7.0.43 released on March 15, 2023, following responsible disclosure by Mandiant on February 27, 2023.
Time-of-Check to Time-of-Use falls under a category of software flaws wherein a program checks the state of a resource for a specific value, but that value changes before it's actually used, effectively invalidating the results of the check.
An exploitation of such a flaw can result in a loss of integrity and trick the program into performing actions that it shouldn't otherwise, thereby permitting a threat actor to gain access to unauthorized resources.
"This weakness can be security-relevant when an attacker can influence the state of the resource between check and use," according to a description in the Common Weakness Enumeration (CWE) system. "This can happen with shared resources such as files, memory, or even variables in multithreaded programs."
According to the Google-owned threat intelligence firm, CVE-2023-27470 arises from a TOCTOU race condition in the Take Control Agent (BASupSrvcUpdater.exe) between logging multiple file deletion events (e.g., files named aaa.txt and bbb.txt) and each delete action from a specific folder named "C:\ProgramData\GetSupportService_N-Central\PushUpdates."
"To put it simply, while BASupSrvcUpdater.exe logged the deletion of aaa.txt, an attacker could swiftly replace the bbb.txt file with a symbolic link, redirecting the process to an arbitrary file on the system," Mandiant security researcher Andrew Oliveau said.
"This action would cause the process to unintentionally delete files as NT AUTHORITY\SYSTEM."
Even more troublingly, this arbitrary file deletion could be weaponized to secure an elevated Command Prompt by taking advantage of a race condition attack targeting the Windows installer's rollback functionality, potentially leading to code execution.
"Arbitrary file deletion exploits are no longer limited to [denial-of-service attacks and can indeed serve as a means to achieve elevated code execution," Oliveau said, adding such exploits can be combined with "MSI's rollback functionality to introduce arbitrary files into the system."
"A seemingly innocuous process of logging and deleting events within an insecure folder can enable an attacker to create pseudo-symlinks, deceiving privileged processes into running actions on unintended files."