[0-days] Adaware Antivirus Quarantine Flaws Allow Privilege Escalation (CVE-2019–18979) [Full Disclosure]
Introduction
Adaware does not fix this vulnerability within 90 days. Then I view as proper I should public disclosure for this vulnerability to announce their customer that they have risk to use this product at this moment. (No Patch)
This vulnerability can escape of privilege from LOW PRIVILEGE user to SYSTEM PRIVILEGE (The highest privilege on Windows)
Description of Vulnerability
- Title: Adaware Antivirus Quarantine Flaws Allow Privilege Escalation
- Product: Adaware Antivirus
- Version: 12.6.1005.11662 - 12.7.1055.0 (Latest version on 18 March 2020)
- CVE Assigned: CVE-2019–18979
- Homepage: https://www.adaware.com
Vulnerability Requirement
1. Need authenticate user
2. Create malware that Adaware can detect. In this case we created by msfvenom
3. DLL name: WSDNS.dll
Vulnerability Summary Information
- Vulnerability Class: Privilege Escalation
- Affected Versions Tested: 12.6.1005.11662 and 12.7.1055.0 (Latest version on 18 March 2020)
- Test on: Windows 10 x64
Researcher
Kusol Watchara-Apanukorn
How can I found this vulnerability
- As you can see “Adaware Antivirus” use “SYSTEM PRIVILEGE” to “Quarantine and Restore”. That mean we can use this function to escape of privilege.
2. As you can see the below picture. We can also use DLL hijacking technique with this flaw
Proof of Concept
- Create malicious DLL with msfvenom and wait the reverse shell
2. In this case we authenticate with LOW PRIVILEGE user
3. Planted the malicious DLL on any path that the attacker can modify. In this case we created a new folder on desktop and planted it
4. Scan with “Adaware Antivirus”
5. Antivirus will alert
6. Keep the malware in “Quarantine” then click “CLEAN”
7. Use NTFS junction technique by create mount point to “C:\Windows\System32”.
8. Restore the malicious DLL
9. As you can see it planted on “C:\Windows\System32”
10. Restart the victim machine (or restart service if you can) and click update the antivirus
11. Waited and see the result
Timeline (Last updated 18/04/2020)
21 Oct 2019 — Found vulnerability and reported to Adaware
21 Oct 2019 — Adaware replied and acknowledge
25 Oct 2019 — Adaware sent report to developer team
8 Jan 2020 — Notice to fix this issue before 31st January 2020 after that I will public disclosure
11 Jan 2020 — They said they sent request the update to manager
24 Jan 2020 — Notice to Adaware the final announcement before public disclosure
27 Jan 2020 — Replied from manager that my case is the highest priority and he will update to me again
27 Jan 2020 — Give they more time. I change their deadline to 3 February 2020
28 Jan 2020 — He said customer service manager have no power to influence the speed of the development team work, but he will do his best
18 March 2020 — Late from last deadline and don’t have any news from Adaware.
18 March 2020 — Limited Public Disclosure on medium
18 March 2020 — CVE-2019-18979 Assigned
27 March 2020 — NVD Scored by CVSS 3.1 as HIGH
18 April 2020 — Update full disclosure
References
CVE Assigned => https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-18979
Same Vulnerability (CVE-2019–18194)=> https://www.youtube.com/watch?v=88qeaLq98Gc&t=32s
NVD => https://nvd.nist.gov/vuln/detail/CVE-2019-18979#VulnChangeHistorySection







