Avira Internet Security Optimizer TOCTOU Vulnerability Leading to Privilege Escalation

A time-of-check time-of-use (TOCTOU) vulnerability has been identified in the Optimizer component of Avira Internet Security, version 1.1.109.1990 and prior. This vulnerability allows a local attacker to manipulate the deletion process of directories by replacing a scanned directory with a junction or reparse point before the cleanup phase, which is executed by a privileged service running as SYSTEM. As a result, the process may inadvertently delete important system files or directories, potentially leading to unauthorized privilege escalation, a denial-of-service, or a compromise of system integrity, depending on the targeted location.

Impact

Exploitation of this vulnerability allows for local privilege escalation to SYSTEM, as well as the potential for arbitrary deletion of files or directories, which could disrupt system operations or integrity.

Reproduction

To reproduce this vulnerability, first create a directory in a temporary location that is at least 10 minutes old, so it is recognized as 'junk' by the Optimizer. Then, navigate to the Optimizer module in the Avira Internet Security application and initiate a scan. After the scan is complete, the Optimizer will identify the directory as junk. Before the cleanup phase begins, replace the scanned directory with a junction point to 'C:\config.msi'. When the Optimizer process runs as SYSTEM', it will follow the junction and delete the 'config.msi' file. This action triggers a Windows Installer rollback, which can be exploited to escalate privileges by dropping a DLL that is executed in a SYSTEM context.

Remediation

Users can update to Avira Internet Security version 1.1.114.3113 or later, where this vulnerability has been fixed.