Proof of Concept code can be found here: If the logged-on user’s Security Identifier (SID) isn’t already in the “HKLM\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler” registry path, ccSvcHst.exe will create it (as NT AUTHORITY\SYSTEM): Vulnerability Explanation When a scan is started, the ccSvcHst.exe process (as NT AUTHORITY\SYSTEM) checks for user-specific scan settings located at “HKLM\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\ \Custom Tasks\”. This can be used to fully elevate privileges on the host. It is possible to create a registry symbolic link on “HKLM\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\ \” and point it to an arbitrary location in the machine registry hive, resulting in an arbitrary registry key write primitive as “NT AUTHORITY\SYSTEM” with a permissive DACL. When created, this key is granted “FullControl” rights to the currently logged-on user. When a scan is started, the ccSvcHst.exe process (as NT AUTHORITY\SYSTEM) checks for user-specific scan settings located at “HKLM\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\ \Custom Tasks\”. We haven’t taken the time to reverse the filter driver, but this could still potentially be exploited with tamper protection on. With Tamper Protection enabled, the vulnerability still exists but exploitability is much, much lower. With this feature disabled (we have seen various environments with this disabled or tuned down), exploitability of the vulnerability is high. It is my stance that this is a vulnerability regardless if Tamper Protection is enabled or not.
Tamper protection being disabled in massive organizations is a common thing that is observed. In order for this vulnerability to be reliably exploited, Symantec Endpoint Protection’s “Tamper Protection” feature needs to be disabled.
This vulnerability was found in conjunction with Marcus Sailler, Rick Romo and Gary Muller of Capital Group’s Security Testing Team
Symantec Endpoint Protection Version: 14.2 RU1 Build 3335 (.1000) and below Operating System Tested On: Wind圆4 CVE-2019–12757: Local Privilege Escalation in Symantec Endpoint Protection
0 kommentar(er)
