CVE-2022-3368

PoC for arbitrary file move vulnerability in Software Update component of Avira Security. Users have option to use this feature to update any outdated software on their PC ,when this feature is used Avira Security service will drop downloaded files in c:\ProgramData\Avira\Security\Temp. First file that is created in subdirectory is in format <random 4 numbers>_<filename> then later this file is moved to just <filename> (leading numbers and underscore are removed).This directory have DACL's that dont allow unprivileged users to modify/delete newly created files but it will allow user to create junction. This can abused by creating junction point to user controlled directory which have more permissive DACL's , this way when new files are created in subdirectories user will be able to modify them and leverage it to obtain arbitrary file move which leads to LPE by writing dll in system32 directory that is later loaded by privileged service.

Current PoC will load dll in windows update service, dll dont implement any kind of mutex to check if exploit was already executed which result in creating multiple cmd.exe process as dll is loaded multiple times.

video.mp4

Advisory

https://support.norton.com/sp/static/external/tools/security-advisories.html

https://cve.report/CVE-2022-3368