Maciej Miszczyk
CVE-2020-10551 - privilege escalation in QQBrowser
QQBrowser is a web browser developed by Tencent. It is one of the most popular web browsers used in China. During our tests, we have found a vulnerability which allows an unprivileged local attacker to gain code execution as NT AUTHORITY\SYSTEM.
CVEID: CVE-2020-10551
Name of the affected product(s) and version(s): QQBrowser (all
versions prior to 10.5.3870.400)
Problem type: CWE-284: Improper Access Control
Summary
All version of QQBrowser prior to 10.5.3870.400 do not correctly set up ACLs for a TsService.exe file. A malicious local attacker could overwrite the file to gain access to NT AUTHORITY\SYSTEM account, which is the highest privileged account on a Windows system.
Description
QQBrowser creates a Windows service with ImagePath pointing to a TsService.exe file in its installation directory (default: C:\Program Files (x86)\Tencent\QQBrowser\TsService.exe). This file’s permissions allow for writing by members of NT AUTHORITY\Authenticated Users group which by default includes all users. An attacker could exploit the vulnerability by replacing TsService.exe with his own executable, which would then be invoked with NT AUTHORITY\SYSTEM privileges.
Reproduction
Delete TsService.exe and replace it with a different program. Reboot the system.
Remedy
Install a newer version of QQBrowser.