Privilege escalation in QQBrowser**CVEID**: CVE-2020-10551
**Name of the affected product(s) and version(s)**: QQBrowser (all versions prior to 10.5.3870.400)
**Problem type**: CWE-284: Improper Access Control
---
**Summary**
QQBrowser is a web browser developed by Tencent. It is one of the most popular web browsers used in China.
During our tests, we have found a vulnerability which allows an unprivileged local attacker to gain code
execution as NT AUTHORITY\SYSTEM.
All version of QQBrowser prior to 10.5.3870.400 do not correctly set up ACLs for a TsService.exe file.
A malicious local attacker could overwrite the file to gain access to NT AUTHORITY\SYSTEM account, which
is the highest privileged account on a Windows system.
**Description**
QQBrowser creates a Windows service with ImagePath pointing to a TsService.exe file in its installation directory
(default: C:\Program Files (x86)\Tencent\QQBrowser\TsService.exe). This file’s permissions allow for writing by members
of NT AUTHORITY\Authenticated Users group which by default includes all users. An attacker could exploit the vulnerability
by replacing TsService.exe with his own executable, which would then be invoked with NT AUTHORITY\SYSTEM privileges.
**Reproduction**
Delete TsService.exe and replace it with a different program. Reboot the system.
**Remedy**
Install a newer version of QQBrowser.
[4.0K] /data/pocs/6dede3b5ce7587cb87afce973a04d677cdc85840
├── [1.1K] exploit.ps1
└── [1.3K] README.md
0 directories, 2 files