Arbitrary Files and Folders Deletion vulnerability with Acronis Managed Machine Service

Summary: Using the latest version of Cyber Protection Agent (Version 12.5.23130) is possible to perform arbitrary Files and Folders Deletion as SYSTEM. The only requirement is to have limited code execution privileged (as a member of the Authenticated users group) in order to abuse this vulnerability. Description: Using the latest version of Cyber Protection Agent is possible to perform Arbitrary Files and Folders Deletion as SYSTEM. The only requirement is to have limited code execution privileged in order to abuse this vulnerability. This can be achieved by creating specific mount points which can be linked to dedicated folders in order to create Denial of Service, reduce the security controls of the system (Applocker policies, removal of files associated to AV solutions) or create a condition that the attacker can abuse the gain higher privileges. Steps To Reproduce: 1.Download the latest version for the Windows Agent URL: https://mc-beta-cloud.acronis.com/download/u/baas/4.0/12.5.23130/Cyber_Protection_Agent_for_Windows_web.exe 2.As admin account we will create some folder structures, since we do not want to alter the current state of the OS. 3.Run the following commands: mkdir C:\Windows\secret\1 4.Validate that indeed only high privileged accounts are allowed to perform actions, by checking the Security tab of this folder. 5.In this folder copy files and folders of your choosing just to validate that indeed they get removed. 6.As a low privileged account, download and compile the CreateMountPoint from https://github.com/googleprojectzero/symboliclink-testing-tools/tree/master/CreateMountPoint 7.Create the initial folder and then the mount point: mkdir C:\Acronis CreateMountPoint.exe C:\Acronis\PostRebootResult\ C:\Windows\secret\1\ 8.Start the Procmon, from Sysinternals, and monitor "mms.exe" 9.Restart the Acronis Managed Machine Service. 10.The mount points created in C:\Acronis\PostRebootResult\ was removed and the content from c:\windows\secret\1\ folders as well. 11.You could use the command dir /s c:\Windows\secret to list the content (before and after). ## Impact This issue could potentially allow an non-privileged local account, or process, to perform Arbitrary Files and Folders Deletion as SYSTEM. This can be achieved by creating a specific mount point which can be linked to dedicated folders in order to create : -Denial of Service -Data Corruption -Reduce the security controls of the system (Applocker policies, removal of files associated to AV solutions) -Create a condition that the attacker can abuse the gain higher privileges.