CVE-2020-10551 – privilege escalation in QQBrowser

QQBrowser is a web browser developed by Tencent. It is one of the most popular web browsers used in China. During our tests, we have found a vulnerability which allows an unprivileged local attacker to gain code execution as NT AUTHORITY\SYSTEM.

CVEID: CVE-2020-10551
Name of the affected product(s) and version(s): QQBrowser (all versions prior to 10.5.3870.400)
Problem type: CWE-284: Improper Access Control

Summary

All version of QQBrowser prior to 10.5.3870.400 do not correctly set up ACLs for a TsService.exe file. A malicious local attacker could overwrite the file to gain access to NT AUTHORITY\SYSTEM account, which is the highest privileged account on a Windows system.

Description

QQBrowser creates a Windows service with ImagePath pointing to a TsService.exe file in its installation directory (default: C:\Program Files (x86)\Tencent\QQBrowser\TsService.exe). This file’s permissions allow for writing by members of NT AUTHORITY\Authenticated Users group which by default includes all users. An attacker could exploit the vulnerability by replacing TsService.exe with his own executable, which would then be invoked with NT AUTHORITY\SYSTEM privileges.

Reproduction

Delete TsService.exe and replace it with a different program. Reboot the system.

Remedy

Install a newer version of QQBrowser.

Dodaj komentarz

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *