CVE-2019-17190 in Secure Browser
Summary
by MITRE
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the elevated process cleans the ACL of the Update.ini file in %PROGRAMDATA%\Avast Software\Browser\Update\ and sets all privileges to group Everyone. Because any low-privileged user can create, delete, or modify the Update.ini file stored in this location, an attacker with low privileges can create a hard link named Update.ini in this folder, and make it point to a file writable by NT AUTHORITY\SYSTEM. Once AvastBrowserUpdate.exe is triggered by the update check functionality, the DACL is set to a misconfigured value on the crafted Update.ini and, consequently, to the target file that was previously not writable by the low-privileged attacker.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/26/2024
The vulnerability described in CVE-2019-17190 represents a critical local privilege escalation flaw within Avast Secure Browser version 76.0.1659.101 that stems from improper access control list management during the software update process. This issue manifests when the AvastBrowserUpdate.exe component executes with elevated privileges under the NT AUTHORITY\SYSTEM context, creating a dangerous security boundary that allows low-privileged users to manipulate system files through carefully crafted file system operations. The root cause lies in the insecure handling of file permissions where the update process explicitly sets overly permissive access control lists on the Update.ini configuration file located in the program data directory.
The technical exploitation mechanism involves a classic hard link attack pattern where an unprivileged attacker creates a symbolic link named Update.ini that points to a file with restricted write permissions. When the privileged update process executes and cleans the access control list of this file, it inadvertently grants the attacker write access to the target file that was previously protected by system-level permissions. This misconfiguration creates a privilege escalation vector that allows attackers to modify system-critical files without requiring elevated privileges, effectively bypassing the intended security model of the browser application. The vulnerability specifically affects the Windows file system permission model where the update process fails to properly validate or maintain the integrity of access control lists during file operations.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass potential system compromise and persistent access. Attackers can leverage this flaw to modify browser configuration files, inject malicious code into the update process, or manipulate the browser's behavior to redirect traffic or collect user data. The vulnerability demonstrates a fundamental flaw in the software's security architecture where the update mechanism does not properly validate file ownership or access control permissions before modifying system files. This creates a persistent threat vector that remains active as long as the vulnerable browser version is installed, making it particularly dangerous in enterprise environments where multiple users may have access to the system.
Mitigation strategies for this vulnerability should focus on immediate patching of the affected Avast Secure Browser version to address the ACL handling issue. Organizations should also implement monitoring of the %PROGRAMDATA%\Avast Software\Browser\Update\ directory for unauthorized file modifications and hard link creation. The security community should consider this vulnerability as a prime example of how insecure file permission handling during update processes can create persistent privilege escalation vectors. This flaw aligns with CWE-732: Incorrect Permission Assignment for Critical Resource and demonstrates techniques that map to ATT&CK tactics including privilege escalation through file permission modification and persistence mechanisms. System administrators should also consider implementing additional controls such as file integrity monitoring and restricted file system permissions to prevent unauthorized modifications to critical system directories. The vulnerability underscores the importance of proper access control list management in privileged processes and highlights the need for thorough security testing of update mechanisms that operate with elevated privileges.