A high-severity security flaw has been disclosed in N-Able’s Take Control Agent that could be exploited by a local unprivileged attacker to gain SYSTEM privileges.
Tracked as CVE-2023-27470, the issue relates to a Time-of-Check to Time-of-Use race condition vulnerability, which, when successfully exploited, could be leveraged to delete arbitrary files on a Windows system.
According to the Google-owned threat intelligence firm, CVE-2023-27470 arises from a TOCTOU race condition in the Take Control Agent between logging multiple file deletion events and each delete action from a specific folder named “C:ProgramDataGetSupportService N-CentralPushUpdates.”
Even more troublingly, this arbitrary file deletion could be weaponized to secure an elevated Command Prompt by taking advantage of a race condition attack targeting the Windows installer’s rollback functionality, potentially leading to code execution.
“Arbitrary file deletion exploits are no longer limited to [denial-of-service attacks and can indeed serve as a means to achieve elevated code execution,” Oliveau said, adding such exploits can be combined with “MSI’s rollback functionality to introduce arbitrary files into the system.”
“A seemingly innocuous process of logging and deleting events within an insecure folder can enable an attacker to create pseudo-symlinks, deceiving privileged processes into running actions on unintended files.”
