CVE-2020-9452 in True Image
Summary
by MITRE • 05/25/2021
An issue was discovered in Acronis True Image 2020 24.5.22510. anti_ransomware_service.exe includes functionality to quarantine files by copying a suspected ransomware file from one directory to another using SYSTEM privileges. Because unprivileged users have write permissions in the quarantine folder, it is possible to control this privileged write with a hardlink. This means that an unprivileged user can write/overwrite arbitrary files in arbitrary folders. Escalating privileges to SYSTEM is trivial with arbitrary writes. While the quarantine feature is not enabled by default, it can be forced to copy the file to the quarantine by communicating with anti_ransomware_service.exe through its REST API.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/29/2021
The vulnerability in Acronis True Image 2020 version 24.5.22510 represents a critical privilege escalation flaw that stems from improper access control mechanisms within the anti_ransomware_service.exe component. This service operates with SYSTEM privileges and implements a file quarantine functionality designed to isolate potentially malicious files by copying them from their original location to a designated quarantine directory. The flaw manifests in the service's handling of file operations where it copies suspected ransomware files without adequate validation of the destination path or permissions. The core technical issue lies in the fact that unprivileged users possess write permissions to the quarantine folder, creating a dangerous condition where malicious users can manipulate the file copy operation through hardlink manipulation techniques. This vulnerability directly maps to CWE-276, which addresses improper file permissions and inadequate access control, and aligns with ATT&CK technique T1068, which covers local privilege escalation through exploitation of system vulnerabilities.
The operational impact of this vulnerability extends beyond simple privilege escalation as it provides attackers with a straightforward path to SYSTEM-level access through arbitrary file write capabilities. When an unprivileged user creates a hardlink to a target file within the quarantine directory, the anti_ransomware_service.exe process, running with elevated privileges, will copy the file to the quarantine location while preserving the hardlink relationship. This allows the attacker to effectively overwrite or modify any file on the system that they can target, as the service's copy operation will write to the linked destination rather than the original file location. The vulnerability is particularly concerning because the quarantine feature is not enabled by default, yet can be activated through direct communication with the service's REST API, making the attack surface more accessible to threat actors who may not need to trigger the feature through normal user interfaces.
The exploitation pathway demonstrates sophisticated understanding of Windows file system behavior and privilege escalation techniques, as attackers can leverage the hardlink mechanism to bypass normal file permission checks. Once the privilege escalation is achieved, attackers gain complete system control, allowing them to modify system files, install malicious software, establish persistence mechanisms, or exfiltrate sensitive data. The attack requires minimal privileges initially, as users only need write access to the quarantine directory, which is typically granted for legitimate functionality. Security professionals should note that this vulnerability represents a classic example of how seemingly benign file handling operations can create dangerous privilege escalation opportunities when proper access controls are not implemented. The remediation approach should focus on removing write permissions for unprivileged users to the quarantine directory and implementing proper validation of file operations within the anti_ransomware_service.exe component. Additionally, network monitoring should be implemented to detect unauthorized communication with the REST API endpoints that could trigger the vulnerable quarantine functionality.