This function appears to make sure that “ C:\ProgramData\Avira\VPN\Update” is locked down and cannot be written to by a low privileged user (in order to protect the update executable before it is executed).
DOWNLOAD SNAGIT FOR MAC 2019.1.3 NULL INSTALL
If the update executable’s ProductVersion is greater than the ProductVersion of “”, then the service continues down the path to install it:Īfter validating that “ C:\ProgramData\Avira\VPN\Update\AviraVPNInstaller.exe” exists and hasn’t already been installed, the service makes a call to “ Updater.IsUpdateFolderAccessRestricted()”.
The service determines if the update is already present or not by comparing the “ ProductVersion” property on the update executable with the “ ProductVersion” property on the VPN service itself (). In order to do this, it checks for the existence of “ C:\ProgramData\Avira\VPN\Update\AviraVPNInstaller.exe” and if the update file has already been installed or not: Upon entering “ Updater.UpdateToNewPackageifValid()”, the service first checks if there is an update that is downloaded via a call to “ Updater.CheckForDownloadedUpdatePackage()”.
This function handles all the logic for updating the VPN software: The service does so by calling “ VPNUpdater.UpdateProduct()”, which in turn calls “ Updater.UpdateToNewPackageIfValid()”. When the Phantom VPN Service () starts, one of the first things it does is check for updates, which is done in C:\ProgramData (which is writable for low privileged users by default). A DLL hijack will occur, resulting in code-execution as SYSTEM. This allows an attacker to plant a valid Avira executable along with a malicious DLL in “ C:\ProgramData\Avira\VPN\Update” and cause the service to execute the update file. Additionally, the service implements checks to prevent exploitation that can be circumvented. The service executes the update from C:\ProgramData\Avira\VPN\Update, which is writable by a low privileged user. Vulnerability: Avira VPN Service Local Privilege Escalationīrief Description: When the Phantom VPN Service () starts, it checks to see if there are any updates available.
0 kommentar(er)
