A high-severity security vulnerability [2] [3] [4] [5] [6] [7], known as CVE-2023-27470 [2] [3] [4] [5] [6] [7], has been disclosed in N-Able’s Take Control Agent [2] [3] [4] [5] [6] [7]. This flaw allows local unprivileged attackers to escalate privileges through a Time-of-Check-to-Time-of-Use (TOCTOU) race condition [2] [3] [4] [5] [6] [7].

Description

By exploiting this flaw [2] [5], attackers can delete arbitrary files on Windows systems [2] [3] [4] [5] [6] [7]. The vulnerability has a CVSS score of 8.8 [6]. The affected versions are 7.0.41.1141 and earlier [2] [3] [5] [7], but the issue has been resolved in version 7.0.43 [2] [5], which was released on March 15, 2023. The vulnerability was disclosed by Mandiant on February 27, 2023 [2] [5].

The vulnerability was discovered using Microsoft’s Process Monitor (ProcMon) and is caused by insecure file operations conducted by NT AUTHORITY\SYSTEM processes [1]. Specifically, the process BASupSrvcUpdater.exe, belonging to Take Control Agent version 7.0.41.1141 [1], was analyzed. To mitigate this vulnerability [1], it is recommended for organizations using N-able to upgrade to version 7.0.43 [1].

Attackers can exploit the arbitrary file deletion to achieve elevated code execution by exploiting a race condition attack on the Windows installer’s rollback functionality [2]. Additionally, this vulnerability enables attackers to gain SYSTEM privileges. It is important to note that the exploit can introduce arbitrary files into the system, allowing attackers to deceive privileged processes into executing actions on unintended files by creating pseudo-symlinks through the logging and deletion of events within an insecure folder [2]. The flaw can be combined with MSI’s rollback functionality to introduce unauthorized files into the system [3] [7]. The exploit involves logging multiple file deletion events and replacing one of the files with a symbolic link [3] [7], redirecting the process to an arbitrary file on the system [2] [3]. This flaw highlights the risk of combining arbitrary file deletion with MSI’s rollback functionality to introduce unauthorized files into the system [3].

Conclusion

This security vulnerability in N-Able’s Take Control Agent poses a significant risk to Windows systems, as it allows local unprivileged attackers to escalate privileges and delete arbitrary files. Organizations using N-able are strongly advised to upgrade to version 7.0.43 to mitigate this vulnerability. The exploit of this flaw can lead to elevated code execution and the gaining of SYSTEM privileges. It is crucial to be aware of the potential introduction of arbitrary files into the system and the deceptive actions that can be executed on unintended files. The combination of arbitrary file deletion with MSI’s rollback functionality further increases the risk of introducing unauthorized files into the system.

References

[1] https://gbhackers.com/windows-arbitrary-file-deletion-vulnerability/
[2] https://www.linkedin.com/pulse/n-ables-take-control-agent-vulnerability-puts-windows
[3] https://vulners.com/thn/THN:81C52218E1EFB8116A5EBD59D809F188
[4] https://thehackernews.com/2023/09/n-ables-take-control-agent.html
[5] https://cert.bournemouth.ac.uk/n-ables-take-control-agent-vulnerability-exposes-windows-systems-to-privilege-escalation/
[6] https://gixtools.net/2023/09/n-ables-take-control-agent-vulnerability-exposes-windows-systems-to-privilege-escalation/
[7] https://www.redpacketsecurity.com/n-able-s-take-control-agent-vulnerability-exposes-windows-systems-to-privilege-escalation/