Adaware Protect Local Privilege Escalation through Insecure Service Permissions (CVE-2022–31464)
Introduction
Adaware Protect has a service called Adaware Protect Service which runs as the Local System Account. Since Everyone has Full Control over this service, a low privilege user can escalate his/her privileges to the SYSTEM level.
I’m disclosing this vulnerability after waiting them for 60 days.
Description of the Vulnerability
- Title: Adaware Protect Local Privilege Escalation through Insecure Service Permissions
- Product: Adaware Protect
- Version: 1.2.495.4325 (Latest Version on 14 June 2022)
- Homepage: https://www.adaware.com
- Test Platform: Windows 10 19044
During the installation of Adaware Antivirus, you can also install Adaware Protect as you can see from the screenshot below.
After the installation, I realized that a new service is created whose name is Adaware Protect Service which executes AdawareProtectService.exe, and the process which is created by this service is running as SYSTEM privileges which is the highest privilege on Windows Systems.
I checked the permissions for this service and saw that EVERYONE has full control of that service configuration which may lead to escalate privileges from low privileged to SYSTEM level privilege.
From a low privileged account, you can change the service binary path to any binary that you want. In this way, you can execute this binary as the SYSTEM.
You can also confirm this change from the Services GUI.
After changing its startup type to Disable and rebooting the computer (because you cannot stop the service directly), you can see that your selected binary is executed as SYSTEM (in our case it’s notepad.exe).
By following the same steps, anyone can take any permissions that he/she wants over an executable from a low privilege account.