Security News > 2023 > September > N-Able's Take Control Agent Vulnerability Exposes Windows Systems to Privilege Escalation

N-Able's Take Control Agent Vulnerability Exposes Windows Systems to Privilege Escalation
2023-09-14 09:52

A high-severity security flaw has been disclosed in N-Able's Take Control Agent that could be exploited by a local unprivileged attacker to gain SYSTEM privileges.

Tracked as CVE-2023-27470, the issue relates to a Time-of-Check to Time-of-Use race condition vulnerability, which, when successfully exploited, could be leveraged to delete arbitrary files on a Windows system.

According to the Google-owned threat intelligence firm, CVE-2023-27470 arises from a TOCTOU race condition in the Take Control Agent between logging multiple file deletion events and each delete action from a specific folder named "C:ProgramDataGetSupportService N-CentralPushUpdates."

Even more troublingly, this arbitrary file deletion could be weaponized to secure an elevated Command Prompt by taking advantage of a race condition attack targeting the Windows installer's rollback functionality, potentially leading to code execution.

"Arbitrary file deletion exploits are no longer limited to [denial-of-service attacks and can indeed serve as a means to achieve elevated code execution," Oliveau said, adding such exploits can be combined with "MSI's rollback functionality to introduce arbitrary files into the system."

"A seemingly innocuous process of logging and deleting events within an insecure folder can enable an attacker to create pseudo-symlinks, deceiving privileged processes into running actions on unintended files."


News URL

https://thehackernews.com/2023/09/n-ables-take-control-agent.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-09-11 CVE-2023-27470 Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in N-Able Take Control 7.0.41.1141
BASupSrvcUpdater.exe in N-able Take Control Agent through 7.0.41.1141 before 7.0.43 has a TOCTOU Race Condition via a pseudo-symlink at %PROGRAMDATA%\GetSupportService_N-Central\PushUpdates, leading to arbitrary file deletion.
local
high complexity
n-able CWE-367
7.0