In Tenable Agent versions prior to 10.8.5 on a Windows host, it was found that a non-administrative user could overwrite arbitrary local system files with log content at SYSTEM privilege.
Non-administrative users can exploit a vulnerability in older versions of Tenable Agent on Windows to overwrite arbitrary system files with SYSTEM privileges, leading to complete system compromise. This allows attackers to achieve remote code execution (RCE) and potentially gain full control of the affected host. The vulnerability stems from insecure handling of log file writes, enabling privilege escalation.
Step 1: User Interaction: A non-administrative user interacts with the compromised system, potentially through a crafted input or a malicious file.
Step 2: Payload Delivery: The attacker crafts a payload designed to exploit the vulnerability. This payload could be a specially formatted input that, when logged by the Tenable Agent, overwrites a critical system file.
Step 3: Log File Manipulation: The attacker's crafted input, when processed by the Tenable Agent, is written to a log file. The vulnerability allows the attacker to control the content and potentially the destination of the log file.
Step 4: File Overwrite: The attacker's payload, written to the log file, overwrites a critical system file with SYSTEM privileges. This could be a DLL, an executable, or a configuration file.
Step 5: Code Execution: The overwritten system file is executed, leading to arbitrary code execution with SYSTEM privileges. This allows the attacker to gain full control of the system.
The vulnerability arises from a flaw in how Tenable Agent handles log file writes. Specifically, the agent allows a non-administrative user to influence the content and potentially the destination of log files written with SYSTEM privileges. The root cause is likely a lack of proper input validation or sanitization when processing user-controlled data that is then written to log files. This could involve a path traversal vulnerability, allowing an attacker to specify a target file outside of the intended log directory, or a format string bug that allows for arbitrary file content injection. The agent's logging mechanism likely uses a function that, due to inadequate checks, allows for the overwriting of files with SYSTEM privileges. This could be due to a race condition where the agent doesn't properly lock the log file during write operations, or a privilege escalation flaw where the agent doesn't verify the user's permissions before writing to the file.