Skip to content

seqred-s-a/CVE-2020-10551

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

CVEID: CVE-2020-10551

Name of the affected product(s) and version(s): QQBrowser (all versions prior to 10.5.3870.400)

Problem type: CWE-284: Improper Access Control


Summary

QQBrowser is a web browser developed by Tencent. It is one of the most popular web browsers used in China. During our tests, we have found a vulnerability which allows an unprivileged local attacker to gain code execution as NT AUTHORITY\SYSTEM.

All version of QQBrowser prior to 10.5.3870.400 do not correctly set up ACLs for a TsService.exe file. A malicious local attacker could overwrite the file to gain access to NT AUTHORITY\SYSTEM account, which is the highest privileged account on a Windows system.

Description

QQBrowser creates a Windows service with ImagePath pointing to a TsService.exe file in its installation directory (default: C:\Program Files (x86)\Tencent\QQBrowser\TsService.exe). This file’s permissions allow for writing by members of NT AUTHORITY\Authenticated Users group which by default includes all users. An attacker could exploit the vulnerability by replacing TsService.exe with his own executable, which would then be invoked with NT AUTHORITY\SYSTEM privileges.

Reproduction

Delete TsService.exe and replace it with a different program. Reboot the system.

Remedy

Install a newer version of QQBrowser.