Monday, December 23, 2024
HomeCyber Security NewsWindows Arbitrary File Deletion Vulnerability Leads to Full System Compromise

Windows Arbitrary File Deletion Vulnerability Leads to Full System Compromise

Published on

SIEM as a Service

Threat actors were using Windows Arbitrary File Deletion to perform Denial-of-service attacks on systems affected by this vulnerability. However, recent reports indicate that this Windows Arbitrary file deletion can be used for a full compromise.

The possibility of this attack depends on the CVE-2023-27470 arbitrary file deletion vulnerability combining it with a Time-of-Check to Time-of-Use (TOCTOU) race condition, which enables the deletion of files on a Windows system and subsequently creates an elevated Command Prompt.

CVE-2023-27470 & TOCTOU – Technical Analysis

CVE-2023-27470 affects N-Able’s Take Control Agent, which can lead to an arbitrary file deletion vulnerability. This vulnerability analysis was done using Microsoft’s Process Monitor, often called ProcMon. 

- Advertisement - SIEM as a Service

This vulnerability exists due to insecure file operations conducted by NT AUTHORITY\SYSTEM processes that were detected with the help of ProcMon filters.

The process that was analyzed during this vulnerability was BASupSrvcUpdater.exe, belonging to Take Control Agent 7.0.41.1141.

Race Condition

BASupSrvcUpdater.exe attempts every 30 seconds to a non-existent folder under the C:\ProgramData\GetSupportService_N-Central\PushUpdates as an NT AUTHORITY\SYSTEM process. For further research, this PushUpdates folder and a dummy file aaa.txt were created.

BASupSrvcUpdater.exe made an attempt to read the contents of the folder and performed a deletion, which was logged in the C:\ProgramData\GetSupportService_N-Central\Logs\BASupSrvcUpdater_[DATE].log log file. 

This particular action gives rise to a race condition, as a threat actor can exploit this condition by utilizing the timeframe between the deletion and logging.

To exploit this condition and perform a full system compromise, an attacker must replace a file in the PushUpdates folder with a pseudo-symlink.

A complete report about this attack has been published, which provides detailed information about the exploitation, techniques, process, and method of complete system compromise.

To prevent this attack, it is recommended for organizations using N-able to upgrade to version 7.0.43 to fix this vulnerability.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

North Korean Hackers Stolen $2.2 Billion from Crypto Platforms in 2024

North Korean hackers are estimated to have stolen a staggering $2.2 billion in 2024,...

17M Patient Records Stolen in Ransomware Attack on Three California Hospitals

A staggering 17 million patient records, containing sensitive personal and medical information, have been...

WhatsApp Wins NSO in Pegasus Spyware Hacking Lawsuit After 5 Years

After a prolonged legal battle stretching over five years, WhatsApp has triumphed over NSO...

PentestGPT – A ChatGPT Powered Automated Penetration Testing Tool

GBHackers come across a new ChatGPT-powered Penetration testing Tool called "PentestGPT" that helps penetration...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

North Korean Hackers Stolen $2.2 Billion from Crypto Platforms in 2024

North Korean hackers are estimated to have stolen a staggering $2.2 billion in 2024,...

17M Patient Records Stolen in Ransomware Attack on Three California Hospitals

A staggering 17 million patient records, containing sensitive personal and medical information, have been...

WhatsApp Wins NSO in Pegasus Spyware Hacking Lawsuit After 5 Years

After a prolonged legal battle stretching over five years, WhatsApp has triumphed over NSO...