N-Able Take Control Agent Vulnerability Exposes Windows Systems to Privilege Elevation
A high-severity security vulnerability has been revealed in N-Able’s Take Control agent that could be exploited by an unprivileged local attacker to gain SYSTEM privileges.
Tracked as CVE-2023-27470 (CVSS score: 8.8), the issue refers to one hour of control to one hour of use (TOCTOU) race condition vulnerability which, when successfully exploited, could be exploited to delete arbitrary files on a Windows system.
The security flaw, which affects versions 7.0.41.1141 and earlier, was fixed in version 7.0.43 released on March 15, 2023, following a responsible disclosure by Mandiant on February 27, 2023.
Time-of-Check to Time-of-Use falls into a category of software vulnerabilities in which a program checks the state of a resource for a specific value, but that value changes before it is actually used, invalidating thus the results of the verification.
Exploiting such a flaw can result in a loss of integrity and cause the program to perform actions that it should not otherwise, allowing a malicious actor to access unauthorized resources.
“This weakness can impact security when an attacker can influence the state of the resource between its verification and its use,” according to a description in the Common Weakness Enumeration (CWE) system. “This can happen with shared resources such as files, memory, or even variables in multithreaded programs.”
According to the Google-owned threat intelligence firm, CVE-2023-27470 results from a TOCTOU race condition in the Take Control agent (BASupSrvcUpdater.exe) between logging multiple file deletion events (e.g. files named aaa.txt and bbb.txt). and each action deletes a specific folder named “C:\ProgramData\GetSupportService_N-Central\PushUpdates”.
“To put it simply, while BASupSrvcUpdater.exe recorded the deletion of aaa.txt, an attacker could quickly replace the bbb.txt file with a symbolic link, redirecting the process to an arbitrary file on the system,” Andrew Oliveau, a researcher in security at Mandiant. said.
Identity is the New Endpoint: Mastering SaaS Security in the Modern Age
Dive into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Find out why identity is the new endpoint. Reserve your place now.
“This action would cause the process to unintentionally delete files under the name NT AUTHORITY\SYSTEM.”
Even more troubling, this arbitrary deletion of files could be used to secure an elevated command prompt by leveraging a race condition attack targeting the restore functionality of Windows Installer, potentially leading to code execution.
“Arbitrary file deletion exploits are no longer limited to denial of service attacks and can indeed serve as a means to achieve high code execution,” Oliveau said, adding that such exploits can be combined with “the MSI’s restore functionality to introduce arbitrary files into the system.”
“A seemingly innocuous process of logging and deleting events in an unsecured folder may allow an attacker to create pseudo-symlinks, thereby tricking privileged processes into performing actions on unintended files.”
