![]() ![]() ![]() In order to do this, it checks for the existence of “ C:\ProgramData\Avira\VPN\Update\AviraVPNInstaller.exe” and if the update file has already been installed or not: Upon entering “ Updater.UpdateToNewPackageifValid()”, the service first checks if there is an update that is downloaded via a call to “ Updater.CheckForDownloadedUpdatePackage()”. This function handles all the logic for updating the VPN software: The service does so by calling “ VPNUpdater.UpdateProduct()”, which in turn calls “ Updater.UpdateToNewPackageIfValid()”. When the Phantom VPN Service () starts, one of the first things it does is check for updates, which is done in C:\ProgramData (which is writable for low privileged users by default). A DLL hijack will occur, resulting in code-execution as SYSTEM. This allows an attacker to plant a valid Avira executable along with a malicious DLL in “ C:\ProgramData\Avira\VPN\Update” and cause the service to execute the update file. Additionally, the service implements checks to prevent exploitation that can be circumvented. The service executes the update from C:\ProgramData\Avira\VPN\Update, which is writable by a low privileged user. Vulnerability: Avira VPN Service Local Privilege Escalationīrief Description: When the Phantom VPN Service () starts, it checks to see if there are any updates available. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |