The SYSTEM Sovereignty: How Three “Antiviral” Flaws in Avira Grant Total Windows Control

Within the architecture of Avira Internet Security, researchers have unearthed a formidable triad of vulnerabilities embedded in modules tasked with executing administrative functions under the exalted SYSTEM privileges. These critical aberrations afflict the mechanisms governing component updates, systemic acceleration, and the purgin of ephemeral files. At a superficial glance, these appear as mundane internal antiviral protocols; however, each of these constituents was granted unfettered access to highly sensitive, OS-wide operations, whilst their attendant validation checks proved perilously anemic. Consequently, a localized user is empowered to either obliterate arbitrary files under the aegis of SYSTEM or escalate the incursion into a comprehensive privilege escalation exploit.

The compromised iterations span all versions up to and including 1.1.109.1990. Remediating patches have been incorporated into the 1.1.114.3113 release. Investigators delineated three distinct attack vectors: the arbitrary deletion of files within the update module, chronicled as CVE-2026-27748; the perilous deserialization within the systemic acceleration module, designated CVE-2026-27749; and the arbitrary obliteration of directories via a Time-of-Check to Time-of-Use (TOCTOU) race condition within the cleanup module, identified as CVE-2026-27750. The inaugural flaw possesses intrinsic utility in isolation, whilst the latter twain forge a direct, unobstructed pathway to SYSTEM sovereignty.

The update module shoulders the mandate of delivering nascent Avira components; during its operational cadence, it interacts with third-party executables sequestered within the C:\ProgramData\OPSWAT\MDES SDK\ directory. Specific files within this enclave are actively purged during the update cycle. Conversely, the acceleration module diligently monitors performance metrics, striving to optimize the system’s operational fluidity. Upon the activation of the Performance Booster paradigm, the Avira.SystemSpeedup.RealTimeOptimizer.exe process is invoked, draped in SYSTEM privileges. Finally, the cleanup module scours the architecture for ephemeral data, residual caches, and auxiliary systemic detritus; following explicit user corroboration, it eradicates the identified refuse, similarly wielding maximum privileges.

A singular, overarching fundamental flaw unites all three components: the privileged code places an egregious degree of blind trust in the pathways and data it manipulates. The moment a malefactor acquires the capability to substitute a file, directory, or serialized object, SYSTEM unwittingly commences the execution of foreign, malicious logic under its own sovereign banner.

Two of these three incursions are predicated upon an antiquated, yet profoundly effective, stratagem involving the C:\Config.msi directory. This machination is inextricably tethered to the Windows Installer service and its intrinsic rollback architecture. Should an adversary coerce a privileged process into obliterating C:\Config.msi, subsequently reconstitute the directory populated with .rbs and .rbf rollback artifacts, and finally engineer a catastrophic failure during the installation of an MSI package, the Windows Installer service will dutifully execute the rollback scripts cloaked in SYSTEM privileges.

Thereafter, the exploit chain follows a remarkably standardized trajectory: leveraging the rollback mechanism, the assailant can surreptitiously implant a dynamic link library into the C:\Program Files\Common Files\microsoft shared\ink\HID.DLL directory. Subsequently, invoking the security screen via the CTRL+ALT+DEL keystroke sequence and launching osk.exe (the On-Screen Keyboard) compels the application to sideload the venomous library, thereby bequeathing the malefactor an unadulterated SYSTEM shell.

A profound caveat must be articulated here. The obliteration of a directory and the deletion of a file operate under fundamentally disparate paradigms. In the former scenario, the incursion exploits the redirection of a directory deletion—a technique that retains its lethal efficacy. In the latter, the exploitation historically hinged upon the eradication of the ::$INDEX_ALLOCATION alternative data stream. However, commencing with the Windows 11 24H2 iteration, Microsoft definitively asphyxiated this specific vector; thus, the archaic sleight of hand involving file deletion fails to yield the homologous outcome upon these nascent builds.

The inaugural vulnerability festers within the update module. During the update cadence, the component systematically obliterates the file C:\ProgramData\OPSWAT\MDES SDK\wa_3rd_party_host_32.exe. The critical vulnerability lies in the absolute absence of any validation to ascertain whether this pathway harbors a symbolic link prior to its execution. Should an adversary proactively synthesize such a link in lieu of the mundane file, the privileged process will blithely traverse it, subsequently eradicating a wholly disparate, unintended target.

To brilliantly illuminate this flaw, the investigators wielded James Forshaw’s suite of utilities dedicated to scrutinizing symbolic links. Initially, they forged the directory:

PS C:\temp> mkdir "C:\ProgramData\OPSWAT\MDES SDK"

Subsequently, they transmuted it into a junction point, charting a course directly into the \RPC Control object namespace:

PS C:\temp> .\CreateMountPoint.exe "C:\ProgramData\OPSWAT\MDES SDK" "\RPC Control"

Following this, a symbolic link was meticulously forged, pointing toward the ultimate quarry:

PS C:\temp> .\CreateSymlink.exe "\RPC Control\wa_3rd_party_host_32.exe" "C:\windows\system32\foobar.txt"

Opened Link \RPC Control\wa_3rd_party_host_32.exe -> \??\C:\windows\system32\foobar.txt: 00000158

Press ENTER to exit and delete the symlink

When the user subsequently initiated the update sequence, the module obliterated not the anticipated service file, but rather C:\windows\system32\foobar.txt. The Procmon process monitor provided incontrovertible evidence that this deletion was orchestrated exclusively by the SYSTEM process. On Windows iterations predating 24H2, this primitive could be seamlessly amalgamated with the Config.msi stratagem, culminating in a devastating privilege escalation. On more contemporary builds, the resulting catastrophe is contingent upon the selected target, oscillating between localized denial of service and profound systemic integrity violations.

The secondary vulnerability is inextricably woven into the acceleration module. The Avira.SystemSpeedup.RealTimeOptimizer.exe process, operating with absolute SYSTEM authority, ingests the file C:\ProgramData\Avira\SystemSpeedup\temp_rto.dat and indiscriminately deserializes its contents utilizing the .NET BinaryFormatter. Crucially, this juncture is utterly bereft of any sanitizing filters or stringent type-checking mechanisms. By default, the ProgramData directory permits localized users to mint new files; ergo, a pedestrian user can effortlessly implant a bespoke temp_rto.dat and patiently await its ingestion by the privileged process.

A rigorous forensic dissection of the binary via dnSpy illuminated three distinct crucibles of deserialization: LoadDBFromFile, LoadCrashRestoreKnowledge, and LoadProcessExceptionKnowledge. The LoadCrashRestoreKnowledge function provoked the profoundest scrutiny, as it directly cracks the file open and unceremoniously shuttles it into BinaryFormatter.Deserialize() without a scintilla of auxiliary constraint:

[pastacode lang=”c” manual=”private%20void%20LoadCrashRestoreKnowledge()%20%7B%20if%20(File.Exists(this.CrashRestoreKnowledgeBasePath))%20%7B%20try%20%7B%20FileStream%20fileStream%20%3D%20new%20FileStream(this.CrashRestoreKnowledgeBasePath%2C%20FileMode.OpenOrCreate)%3B%20BinaryFormatter%20binaryFormatter%20%3D%20new%20BinaryFormatter()%3B%20Dictionary%3Cint%2C%20ProcInfo%3E%20crashRestoreKnowledge%20%3D%20this._crashRestoreKnowledge%3B%20lock%20(crashRestoreKnowledge)%20%7B%20this._crashRestoreKnowledge%20%3D%20(Dictionary%3Cint%2C%20ProcInfo%3E)binaryFormatter.Deserialize(fileStream)%3B%20%7D%20fileStream.Close()%3B%20%7D%20catch%20(Exception%20ex)%20%7B%20Log.Warning(LogModule.General%2C%20%22LoadCrashRestoreKnowledge%20exception%3A%20%22%20%2B%20ex.Message)%3B%20%7D%20%7D%20%7D” message=”” highlight=”” provider=”manual”/]

The pathway charting the file’s location is rigidly defined via the following property:

In this context, the CommonApplicationData variable resolves explicitly to the C:\ProgramData directory. Upon a pristine installation, the temp_rto.dat artifact is notably absent, profoundly streamlining the attack vector. However, should the file pre-exist and obstinately refuse the inscription of novel payloads, the investigators keenly observe that the antecedent file-deletion vulnerability serves as the perfect instrument to forcefully vacate the premises and mint the object anew.

This perilous architecture is triggered the moment a user engages the Performance Booster paradigm via the graphical interface. While the interface itself operates beneath the constraints of a limited user, its activation summons the privileged process, which immediately devours temp_rto.dat. Procmon transparently reveals SYSTEM vigorously interrogating this very file.

To demonstrate this catastrophic failure, the ysoserial.net utility was weaponized. The venomous payload was architected thusly:

ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -c "whoami > c:\pwned.txt" -o raw > c:\temp\pwned.bin

Following its genesis, the artifact was transplanted into the Avira sanctum:

C:\temp> copy c:\temp\pwned.bin C:\ProgramData\Avira\SystemSpeedup\temp_rto.dat

1 file(s) copied.

Thereafter, the user merely deactivated the Performance Booster toggle, substituted the file, and resurrected the function. At the precise moment of deserialization, the payload executed cloaked in SYSTEM privileges, successfully manifesting the c:\pwned.txt file as dictated by the injected command. The investigators hail this vector as the most pristine of the triad: bereft of race conditions or agonizingly narrow temporal windows, it merely requires the planting of a file and the flick of a digital switch.

The tertiary affliction plagues the cleanup module. Its operational logic is bifurcated: initially, the Optimizer scours the architecture, cataloging ephemeral directories and systemic refuse; subsequently, following explicit user authorization, it orchestrates their annihilation. The fatal error materializes precisely within the interstice separating these two phases. During the preliminary audit, the pathway is deemed benign; however, preceding the kinetic act of deletion, this pathway is egregiously spared from secondary validation. Thus, the classic Time-of-Check to Time-of-Use (TOCTOU) race condition is born—a perilous chasm where the verdict of the audit and the subsequent manipulation of the object profoundly diverge in time.

The choreography of this assault unfolds as follows: A localized user mints a directory, for instance within C:\temp, and endures a purgatory of no less than ten minutes, as the Optimizer exclusively classifies sufficiently antiquated temporary folders as legitimate refuse. Following this agonizing wait, the user summons the cleanup module, triggers the scan, and waits until their bespoke directory materializes within the System Junk - Temporary System Files ledger. At this precise juncture, the pathway has successfully navigated the security audit.

Immediately prior to depressing the ‘Optimize’ trigger, the investigator unleashes the auxiliary FolderOrFileDeleteToSystem.exe utility, seamlessly transmuting their benign directory into a malignant junction pointing directly at C:\config.msi. To the oblivious Optimizer, the exterior facade remains indistinguishable from the directory it had previously vetted. During the purgin sequence, the privileged process blindly traverses this novel conduit, obliterating C:\config.msi. Procmon unequivocally corroborates that this devastation is wrought under the absolute authority of SYSTEM.

Subsequently, the infamous MSI-installer rollback chain is triggered anew. HID.DLL is surreptitiously smuggled into the system, taking root within the Microsoft Ink directory, and the invocation of osk.exe via the security screen ultimately yields the coveted SYSTEM shell.

In aggregate, these three vulnerabilities coalesce to paint a profoundly grim tableau. Three disparate modules harbor three distinct aberrations, yet all spring from a singular, fatal genesis: code endowed with maximum privileges manipulating files and pathways under the perilously naive assumption that localized users are utterly impotent to influence them. The investigators crown the arbitrary file deletion primitive as the most universally potent, given its efficacy both as a standalone weapon and as a vital preparatory phase. The most frictionless, direct conduit to SYSTEM supremacy is undeniably the perilous deserialization festering within the acceleration module. The race condition haunting the cleanup module appears somewhat more temperamental, yet it remains a robust, thoroughly viable avenue to achieve total systemic subjugation.