Arbitrary File Deletion in IOBit Advanced System Care Free 18.104.22.1683 [CVE-2020-14990]
Product: IOBit Advanced System Care Free
Tested on: Windows 10 Pro 2004 x64
Vendor informed: Yes
IOBit Advanced System Care Free and Pro (ASC) checks the OS for temporary files and deletes them to create free disk space. The scan and delete process are running in an elevated context (Administrator). ASC checks for files in \AppData\Local\Temp (%temp% environment variable) and mark files older then 24 hours for deletion. A malicious actor can wait for the ASC scan (wait for ASC.exe process) to start and write multiple files to %temp% and set the "LastWriteTime" timestamp on each file older than 24 hours. Shortly (about 1 second) after the file is created it will be deleted and replaced by a folder junction + RPC link (pseudo-symlink) by the attacker. Waiting 1 second will make sure that ASC detects the file as a temp file. When the user starts the clean operation or the clean operation is set to automatic ASC will follow the created pseudo-symlink and will delete the pseudo-symlink target (instead the original file) with elevated privileges (Administrator, integrity "high").
IOBit Advanced System Care (ASC) sets the "Junk File Clean" setting as default. So a user don´t have to select the feature manually.
After the scan ASC shows the identified files. When the user clicks on "fix" the files will be deleted in an elevated context.
Proof of Concept
In this example chrome.exe will be deleted. Chrome.exe can be accessed by regular users with read+execute rights; no right to delete nor full control.
I wrote a script to automatize the attack. An attacker can wait for the ASC.exe process. Once the process is running the attacker will create dummy files in %temp% and replace them after one second with a pseudo-symlink to "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe". The scripts creates 100 pseudo-symlinks to make sure ASC will detect at least one file as a temp file.
The temp folder it will look like this:
ASC will detect at least one file as a temp file and mark them for deletion
When things get "fixed"...
...the pseudo-symlink target will be deleted
- ASC follows the reparse point
- ASC deletes the file
- A second dummy file was created but at this point the pseudo-symlink target was already deleted
Conclusion: This attack can be avoided by checking reparse points and/or impersonating a user while performing delete operations in user controlled folders / on user controlled files.
Personal Note: I contacted IOBit to submit the bug. Unfortunately they were not interested because:
Presently we have a great test team which will find out all the bugs of our products.