Researchers from SafeBreach discovered several vulnerabilities in Kaspersky Secure Connection, Trend Micro Maximum Security, and Autodesk Desktop Application products that could be exploited by hackers for DLL
The first issue in Kaspersky Secure Connection (KSDE) VPN client, tracked as CVE-2019-15689, could be exploited by an attacker to implant and run an arbitrary unsigned executable.
In all the cases, the privileged processes were not implementing any signature verification against the loaded DLL.
Experts pointed out that the KSDE is a signed service that starts automatically at system boot up and which runs as SYSTEM. The service attempts to load multiple missing DLLs and an attacker with administrative privileges could load its own malicious library with SYSTEM privileges within the context of
Experts noticed that the process attempts to load the library using only the filename and not an absolute path, by executing its library the attacker could execute arbitrary code within the signed Kaspersky process.
The researchers tested the flaw by compiling an x86 unsigned arbitrary DLL out of the original ckahum.dll DLL file, which writes the name of the process which loaded it, the username which executed it and the name of the DLL file. Then the experts implanted it in C:\Windows\SysWow64\Wbem, and restarted the computer:
Experts also discovered a similar issue in, tracked as CVE-2019-7365,
“this vulnerability could be used in order to achieve privilege escalation and persistence by loading an arbitrary unsigned DLL into a service that runs as NT AUTHORITY\SYSTEM.” reads the post.
Experts also reported a DLL hijacking flaw, tracked as CVE-2019-15628, affecting the Trend Micro Maximum Security product, this issue could be exploited to achieve defense evasion, self-defense bypass, persistence and in some cases privilege escalation by loading an arbitrary unsigned DLL into multiple services that run as NT AUTHORITY\SYSTEM.
Experts discovered that some parts of the software run as non-PPL processes, thus allowing an attacker to load unsigned code, because the CIG (Code Integrity Guard) mechanism is not enforced.
The vulnerability allows attackers to escalate privileges, a regular user could write the missing DLL file and achieve code execution as NT AUTHORITY\SYSTEM.
“On our VM, Python 2.7 is installed. The c:\python27 has an ACL which allows any authenticated user to write files onto the ACL. This makes privilege escalation simple, allowing a regular user to write the missing DLL file and achieve code execution as NT AUTHORITY\SYSTEM.” reads the analysis.
SafeBreach reported these issued to the respective companies in July, and they released security advisories for the vulnerabilities.