Local privilege escalation in AVG Internet Security v24 on Windows allows a local unprivileged user to escalate privileges to SYSTEM via COM hijacking.
This was possible by using COM hijacking to execute code in the context of a trusted front-end process. The trust between the front end and the back end was then abused to load a DLL into a process running as SYSTEM, allowing an attacker to execute code as SYSTEM.
For CVE assignment we tried contacting AVG and security@nortonlifelock.com after the fixed release but got no response.
The vulnerability was acknowledged and fixed by AVG within three months.
CVSS Score
7.8 (CVSS v3)
CVSS Vector String
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected Version
Versions < 24.1
Fixed Version
24.1
Credits
Kolja Grassmann
Vendor and informed about the vulnerability via sec.report@avg.com
Second attempt to contact the vendor via dach@avast.com
Third attempt to contact the vendor via support@help.avg.com
Initial response from support that they have escalated the issue internally
Email from support stating that they want to address the issue now. However, the writeup on the vulnerability was automatically deleted in the meantime. We provided the details of the vulnerability again. The writeup was passed on internally.
We asked for a status update, as the deadline according to our disclosure policy is approaching.
Vendor provided us with a beta version in which the issue is patched.
Vendor informed us that the issue should now be fixed in the release version 24.1.