Symantec addressed a local privilege escalation flaw, tracked as CVE-2019-12758, that affects all Symantec Endpoint Protection client versions prior to 14.2 RU2. The vulnerability could be exploited by attackers to escalate privileges on target devices and carry out malicious actions, including the execution of malicious code with SYSTEM privileges.
The issue is similar to other vulnerabilities discovered by researchers from SafeBreach Labs in other antivirus solutions from several security vendors, including McAfee, Trend Micro, Check Point, Bitdefender, AVG and Avast.
The flaws could allow attackers to bypass the self-defense mechanism of the antivirus solutions and deliver
Like other DLL hijacking issues in security solutions, the Symantec Endpoint Protection LPE flaws could be exploited only by attackers with Administrator privileges.
“This vulnerability could have been used in order to bypass Symantec’s Self-Defense mechanism and achieve defense evasion, persistence and privilege escalation by loading an arbitrary unsigned DLL into a process which is signed by Symantec and that runs as NT AUTHORITY\SYSTEM.” reads the advisory published by SafeBreach. “
In the case of the Symantec Endpoint Protection experts discovered a service called SepMasterService, which is running
The researchers tested the flaw by compiling a 32-bit Proxy DLL (unsigned) out of the original dsparse.dll DLL file, which writes the name of the process which loaded it, the username which executed it and the name of the DLL file. Then the experts implanted it in C:\Windows\SysWow64\Wbem
“We were able to load an arbitrary Proxy DLL (which loaded another arbitrary DLL) and execute our code within a service’s process which is signed by Symantec Corporation as NT AUTHORITY\SYSTEM, resulting in bypassing the self-defense mechanism of the program.” continues the analysis.
“There are two root causes for this vulnerability:
Symantec addressed the flaw with the release of the Symantec Endpoint Protection 14.2 RU2 on October 22, 2019.
“The vulnerability gives attackers the ability to load and execute malicious payloads in a persistent way, each time the services are being loaded. That means that once the attacker drops a malicious DLL, the services will load the malicious code each time it is restarted.” concludes SafeBreach.
(SecurityAffairs – Symantec Endpoint Protection, hacking)