[0-days] Adaware Antivirus Quarantine Flaws Allow Privilege Escalation (CVE-2019–18979) [Full Disclosure]

SHA999
4 min readMar 18, 2020

--

Adaware has been downloaded over 390,000,000,000 times

Introduction

Adaware does not fix this vulnerability within 90 days. Then I view as proper I should public disclosure for this vulnerability to announce their customer that they have risk to use this product at this moment. (No Patch)

This vulnerability can escape of privilege from LOW PRIVILEGE user to SYSTEM PRIVILEGE (The highest privilege on Windows)

Description of Vulnerability

  1. Title: Adaware Antivirus Quarantine Flaws Allow Privilege Escalation
  2. Product: Adaware Antivirus
  3. Version: 12.6.1005.11662 - 12.7.1055.0 (Latest version on 18 March 2020)
  4. CVE Assigned: CVE-2019–18979
  5. Homepage: https://www.adaware.com

Vulnerability Requirement

1. Need authenticate user

2. Create malware that Adaware can detect. In this case we created by msfvenom

3. DLL name: WSDNS.dll

Vulnerability Summary Information

  1. Vulnerability Class: Privilege Escalation
  2. Affected Versions Tested: 12.6.1005.11662 and 12.7.1055.0 (Latest version on 18 March 2020)
  3. Test on: Windows 10 x64

Researcher

Kusol Watchara-Apanukorn

How can I found this vulnerability

  1. As you can see “Adaware Antivirus” use “SYSTEM PRIVILEGE” to “Quarantine and Restore”. That mean we can use this function to escape of privilege.
SYSTEM PRIVILEGE to Quarantine and Restore

2. As you can see the below picture. We can also use DLL hijacking technique with this flaw

NAME NOT FOUND

Proof of Concept

  1. Create malicious DLL with msfvenom and wait the reverse shell

2. In this case we authenticate with LOW PRIVILEGE user

3. Planted the malicious DLL on any path that the attacker can modify. In this case we created a new folder on desktop and planted it

4. Scan with “Adaware Antivirus”

Scan the malicious file

5. Antivirus will alert

Alert!

6. Keep the malware in “Quarantine” then click “CLEAN”

7. Use NTFS junction technique by create mount point to “C:\Windows\System32”.

8. Restore the malicious DLL

9. As you can see it planted on “C:\Windows\System32”

10. Restart the victim machine (or restart service if you can) and click update the antivirus

11. Waited and see the result

Timeline (Last updated 18/04/2020)

21 Oct 2019 — Found vulnerability and reported to Adaware

21 Oct 2019 — Adaware replied and acknowledge

25 Oct 2019 — Adaware sent report to developer team

8 Jan 2020 — Notice to fix this issue before 31st January 2020 after that I will public disclosure

11 Jan 2020 — They said they sent request the update to manager

24 Jan 2020 — Notice to Adaware the final announcement before public disclosure

27 Jan 2020 — Replied from manager that my case is the highest priority and he will update to me again

27 Jan 2020 — Give they more time. I change their deadline to 3 February 2020

28 Jan 2020 — He said customer service manager have no power to influence the speed of the development team work, but he will do his best

18 March 2020 — Late from last deadline and don’t have any news from Adaware.

18 March 2020 — Limited Public Disclosure on medium

18 March 2020 — CVE-2019-18979 Assigned

27 March 2020 — NVD Scored by CVSS 3.1 as HIGH

18 April 2020 — Update full disclosure

References

CVE Assigned => https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-18979

Same Vulnerability (CVE-2019–18194)=> https://www.youtube.com/watch?v=88qeaLq98Gc&t=32s

NVD => https://nvd.nist.gov/vuln/detail/CVE-2019-18979#VulnChangeHistorySection

--

--

SHA999

Lead Pentester | GPEN | OSCP | eCXD | Python for Pentesters