Threat actors were using Windows Arbitrary File Deletion to perform Denial-of-service attacks on systems affected by this vulnerability. However, recent reports indicate that this Windows Arbitrary file deletion can be used for a full compromise.
The possibility of this attack depends on the CVE-2023-27470 arbitrary file deletion vulnerability combining it with a Time-of-Check to Time-of-Use (TOCTOU) race condition, which enables the deletion of files on a Windows system and subsequently creates an elevated Command Prompt.
CVE-2023-27470 & TOCTOU – Technical Analysis
CVE-2023-27470 affects N-Able’s Take Control Agent, which can lead to an arbitrary file deletion vulnerability. This vulnerability analysis was done using Microsoft’s Process Monitor, often called ProcMon.
This vulnerability exists due to insecure file operations conducted by NT AUTHORITYSYSTEM processes that were detected with the help of ProcMon filters.
The process that was analyzed during this vulnerability was BASupSrvcUpdater.exe, belonging to Take Control Agent 7.0.41.1141.
With DoControl, you can keep your SaaS applications and data safe and secure by creating workflows tailored to your needs. It’s an easy and efficient way to identify and manage risks. You can mitigate the risk and exposure of your organization’s SaaS applications in just a few simple steps.
Race Condition
BASupSrvcUpdater.exe attempts every 30 seconds to a non-existent folder under the C:ProgramDataGetSupportService_N-CentralPushUpdates as an NT AUTHORITYSYSTEM process. For further research, this PushUpdates folder and a dummy file aaa.txt were created.
BASupSrvcUpdater.exe made an attempt to read the contents of the folder and performed a deletion, which was logged in the C:ProgramDataGetSupportService_N-CentralLogsBASupSrvcUpdater_[DATE].log log file.
This particular action gives rise to a race condition, as a threat actor can exploit this condition by utilizing the timeframe between the deletion and logging.
To exploit this condition and perform a full system compromise, an attacker must replace a file in the PushUpdates folder with a pseudo-symlink.
A complete report about this attack has been published, which provides detailed information about the exploitation, techniques, process, and method of complete system compromise.
To prevent this attack, it is recommended for organizations using N-able to upgrade to version 7.0.43 to fix this vulnerability.
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.