{"id":116,"date":"2020-04-27T10:06:02","date_gmt":"2020-04-27T10:06:02","guid":{"rendered":"http:\/\/labs.redyops.com\/?p=116"},"modified":"2020-07-14T12:08:35","modified_gmt":"2020-07-14T12:08:35","slug":"symantec-endpoint-protection-sep-14-2-eop-via-arbitrary-write","status":"publish","type":"post","link":"https:\/\/labs.redyops.com\/index.php\/2020\/04\/27\/symantec-endpoint-protection-sep-14-2-eop-via-arbitrary-write\/","title":{"rendered":"Symantec Endpoint Protection (SEP) 14.2 RU2 Elevation of Privileges (CVE-2020-5837)"},"content":{"rendered":"
<\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/div><\/div>\n\n\n\n

Summary<\/strong><\/h1>\n\n\n\n

Assigned CVE<\/strong>: CVE-2020-5837<\/em> has been assigned and RedyOps Labs has been publicly acknowledged by the vendor.<\/p>\n\n\n\n

Known to Neurosoft’s RedyOps Labs since<\/strong>: 22\/12\/2019<\/p>\n\n\n\n

Exploit<\/strong> Code<\/strong>: https:\/\/github.com\/RedyOpsResearchLabs\/SEP-14.2-Arbitrary-Write<\/a> <\/p>\n\n\n\n

Vendor’s Advisory<\/strong>: https:\/\/support.broadcom.com\/security-advisory\/security-advisory-detail.html?notificationId=SYMSA1762<\/a><\/p>\n\n\n\n

An Elevation of Privilege (EoP) exists in SEP 14.2 RU2 . The latest version we tested is SEP Version 14(14.2 RU2 MP1) build 5569 (14.2.5569.2100). The exploitation of this EoP , gives the ability to a low privileged user to create a file anywhere in the system. The attacker partially controls the content of the file. There are many ways to abuse this issue. We chose to create a bat file in the Users Startup folder C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\backdoor.bat because we believe it is a good opportunity to present an interesting method we used, in order to bypass restrictions of this arbitrary write where we could control only partially the content .<\/p>\n\n\n\n

Description<\/strong><\/h1>\n\n\n\n

Whenever Symantec Endpoint Protection (SEP) performs a scan, it uses high privileges in order to create a log file under the folder<\/p>\n\n\n\n

C:\\Users\\user\\AppData\\Local\\Symantec\\Symantec Endpoint Protection\\Logs\\<\/p>\n\n\n\n

An attacker can create a SymLink in order to write this file anywhere in the system. As for example the following steps will force SEP to create the log file under the <\/p>\n\n\n\n

“C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\backdoor.bat”<\/p>\n\n\n\n

  1. Delete the “Logs” sub folder (Shift+Delete) from the  “C:\\Users\\attacker\\AppData\\Local\\Symantec\\Symantec Endpoint Protection\\” folder.  <\/li>
  2. Execute the following:<\/li><\/ol>\n\n\n\n
    CreateSymlink.exe \"C:\\Users\\attacker\\AppData\\Local\\Symantec\\Symantec Endpoint Protection\\Logs\\12222019.Log\" \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\backdoor.bat\"<\/code><\/pre>\n\n\n\n
    Note<\/strong>: The file 12222019.Log is in format mmddyyyy.log . Depending on the day you exploit, you have to choose the right name.<\/em><\/p>\n\n\n\n
    CreateSymlink is opensource and can be found in the following URL: https:\/\/github.com\/googleprojectzero\/symboliclink-testing-tools\/releases<\/a> .<\/p>\n\n\n\n
    The log files contain data which are partially controlled by the attacker, allowing commands to be injected into the log files. With symbolic links, we can write log files in other file formats which can lead to an EoP.<\/p>\n\n\n\n
    An easy way to inject code in the log files, is by naming a malicious file to<\/p>\n\n\n\n
    m&command<\/strong>&sf.exe <\/p>\n\n\n\n
    and scan it. This will trigger the scan and a log entry with the injected command will be created. This is caused because the filename “m&command<\/strong>&sf.exe” of the malicious file is being referenced in the log files. Combining this with the SymLinks, the attacker can create the valid bat file  “C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\backdoor.bat” .<\/p>\n\n\n\n
    Exploitation<\/strong><\/h1>\n\n\n\n
    In order to Exploit the issue you can use our exploit from our GitHub<\/a> . <\/p>\n\n\n\n
    In the following paragraph a step by step explanation of the Video PoC where we use the exploit, is provided.<\/p>\n\n\n\n
    Video PoC Step By Step<\/strong><\/h1>\n\n\n\n
    The exploit takes 2 arguments. The first argument is the file we want the logs to be written in. The second argument, is the payload we want to inject in the logs file. If you can recall, the “payload” we are going to inject is nothing more than the filename of the malicious file which we are going to scan. So the following command will cause the SEP to create its log file to <\/p>\n\n\n\n
    c:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\backdoor.bat<\/p>\n\n\n\n
    and the malicious file we are going to scan, will have the name <\/p>\n\n\n\n
    “& powershell.exe -Enc YwBtAGQALgBlAHgAZQAgAC8AQwAgAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwAMQAuAGUAeABlAA== & REM”<\/p>\n\n\n\n
    Yes i know… this is a strange name for a file, but it is what it is \ud83d\ude42<\/p>\n\n\n\n
    Exploit.exe \"c:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\backdoor.bat\" \"& powershell.exe -Enc YwBtAGQALgBlAHgAZQAgAC8AQwAgAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwAMQAuAGUAeABlAA== & REM\"<\/code><\/pre>\n\n\n\n
    If you decode the base64 you will have the command cmd.exe \/C C:\\Users\\Public\\1.exe<\/strong><\/p>\n\n\n\n
    A user with low privileges can copy any file under the C:\\Users\\Public\\ folder.  <\/p>\n\n\n\n
    \n