A Symantec corrigiu uma falha de escalonamento de privilégios local, identificada como CVE-2019-12758, que afeta todas as versões do cliente do Symantec Endpoint Protection anteriores à 14.2 RU2.
A vulnerabilidade pode ser explorada pelos invasores para aumentar os privilégios nos dispositivos de destino e executar ações maliciosas, incluindo a execução de código malicioso com privilégios de SISTEMA.
A falha é semelhante a outras vulnerabilidades descobertas por invesvitadores do SafeBreach Labs em outras soluções antivírus de vários fornecedores de segurança, incluindo McAfee, Trend Micro, Check Point, Bitdefender, AVG e Avast.
As falhas podem permitir que os invasores ignorem o mecanismo de autodefesa das soluções antivírus e com isso executem payloads persistentes.
As falhas do Symantec Endpoint Protection LPE poderiam ser exploradas apenas por invasores com privilégios de administrador.
“This vulnerability could have been used in order to bypass Symantec’s Self-Defense mechanism and achieve defense evasion, persistence and privilege escalation by loading an arbitrary unsigned DLL into a process which is signed by Symantec and that runs as NT AUTHORITY\SYSTEM.” reads the advisory published by SafeBreach. “
“we found a service (SepMasterService) of the Symantec Endpoint Protection which is running as signed process and as NT AUTHORITY\SYSTEM, which is trying to load the following DLL which doesn’t exist: c:\Windows\SysWOW64\wbem\DSPARSE.dll”
No caso do Symantec Endpoint Protection, os investigadores descobriram um serviço chamado SepMasterService, que está a executar como processo assinado e como NT AUTHORITY \ SYSTEM. Este serviço tenta carregar uma DLL do seguinte patch: c:\Windows\SysWOW64\wbem\DSPARSE.dll.
Os investigadores testaram a falha compilando uma DLL Proxy de 32 bits (não assinada) do ficheiro DLL dsparse.dll original, que grava o nome do processo que a carregou, o nome de user que a executou e o nome do ficheiro DLL. Em seguida, os especialistas colocaram a DLL em C: \ Windows \ SysWow64 \ Wbem e reiniciam o computador.
“We were able to load an arbitrary Proxy DLL (which loaded another arbitrary DLL) and execute our code within a service’s process which is signed by Symantec Corporation as NT AUTHORITY\SYSTEM, resulting in bypassing the self-defense mechanism of the program.” continues the analysis.
“There are two root causes for this vulnerability:
No digital signature validation is made against the binary. The program does not validate whether the DLL that it is loading is signed (for example, using the WinVerifyTrust function). Therefore, it can load an arbitrary unsigned DLL.
The fastprox.dll library is trying to import the dsparse.dll from it’s current working directory (CWD), which is C:\Windows\SysWow64\Wbem, while the file is actually located in the SysWow64 folder.”
A Symantec resolveu a falha com o lançamento do Symantec Endpoint Protection 14.2 RU2 em 22 de outubro de 2019.
“The vulnerability gives attackers the ability to load and execute malicious payloads in a persistent way, each time the services are being loaded. That means that once the attacker drops a malicious DLL, the services will load the malicious code each time it is restarted.” concludes SafeBreach.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.