CVE-2024-5102
Elevation of Privelage via symlinked file in Avast Antivirus
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A sym-linked file accessed via the repair function in Avast Antivirus <24.2 on Windows may allow user to elevate privilege to delete arbitrary files or run processes as NT AUTHORITY\SYSTEM. The vulnerability exists within the "Repair" (settings -> troubleshooting -> repair) feature, which attempts to delete a file in the current user's AppData directory as NT AUTHORITY\SYSTEM. A low-privileged user can make a pseudo-symlink and a junction folder and point to a file on the system. This can provide a low-privileged user an Elevation of Privilege to win a race-condition which will re-create the system files and make Windows callback to a specially-crafted file which could be used to launch a privileged shell instance. This issue affects Avast Antivirus prior to 24.2.
Un archivo con enlace simbólico al que se accede a través de la función de reparación en Avast Antivirus <24.2 en Windows puede permitir al usuario elevar privilegios para eliminar archivos arbitrarios o ejecutar procesos como NT AUTHORITY\SYSTEM. La vulnerabilidad existe dentro de la función "Reparación" (configuración -> solución de problemas -> reparación), que intenta eliminar un archivo en el directorio AppData del usuario actual como NT AUTHORITY\SYSTEM. Un usuario con pocos privilegios puede crear un pseudoenlace simbólico y una carpeta de unión y apuntar a un archivo en el sistema. Esto puede proporcionar a un usuario con pocos privilegios una elevación de permisos para ganar una condición de ejecución que recreará los archivos del sistema y realizará una devolución de llamada de Windows a un archivo especialmente manipulado que podría usarse para iniciar una instancia de shell privilegiada. Este problema afecta a Avast Antivirus antes de la versión 24.2.
A sym-linked file accessed via the repair function in Avast Antivirus <24.2 on Windows may allow user to elevate privilege to delete arbitrary files or run processes as NT AUTHORITY\SYSTEM. The vulnerability exists within the "Repair" (settings -> troubleshooting -> repair) feature, which attempts to delete a file in the current user's AppData directory as NT AUTHORITY\SYSTEM. A low-privileged user can make a pseudo-symlink and a junction folder and point to a file on the system. This can provide a low-privileged user an Elevation of Privilege to win a race-condition which will re-create the system files and make Windows callback to a specially-crafted file which could be used to launch a privileged shell instance. This issue affects Avast Antivirus prior to 24.2.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-05-18 CVE Reserved
- 2024-06-10 CVE Published
- 2024-08-01 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-59: Improper Link Resolution Before File Access ('Link Following')
- CWE-1284: Improper Validation of Specified Quantity in Input
CAPEC
- CAPEC-233: Privilege Escalation
References (1)
| URL | Tag | Source |
|---|---|---|
| https://support.norton.com/sp/static/external/tools/security-advisories.html | Not Applicable |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Avast Search vendor "Avast" | Antivirus Search vendor "Avast" for product "Antivirus" | < 24.2 Search vendor "Avast" for product "Antivirus" and version " < 24.2" | - |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | - | - |
Safe
|