{"id":71,"date":"2020-04-24T10:24:06","date_gmt":"2020-04-24T10:24:06","guid":{"rendered":"http:\/\/labs.redyops.com\/?p=71"},"modified":"2020-07-14T12:08:22","modified_gmt":"2020-07-14T12:08:22","slug":"bitdefender-antivirus-free-escalation-of-privileges","status":"publish","type":"post","link":"https:\/\/labs.redyops.com\/index.php\/2020\/04\/24\/bitdefender-antivirus-free-escalation-of-privileges\/","title":{"rendered":"BitDefender Antivirus Free 2020 Elevation of Privilege (CVE-2020-8103 )"},"content":{"rendered":"
<\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/div><\/div>\n\n\n\n

Summary<\/strong><\/h1>\n\n\n\n

Assigned CVE<\/strong>: CVE-2020-8103 has been assigned and RedyOps Labs has been publicly acknowledged by the vendor.<\/p>\n\n\n\n

Known to Neurosoft\u2019s RedyOps Labs since<\/strong>: 18\/03\/2020<\/p>\n\n\n\n

Exploit<\/strong> Code<\/strong>: https:\/\/github.com\/RedyOpsResearchLabs\/-CVE-2020-8103-Bitdefender-Antivirus-Free-EoP <\/a><\/p>\n\n\n\n

Vendor\u2019s Advisory<\/strong>: https:\/\/www.bitdefender.com\/support\/security-advisories\/link-resolution-privilege-escalation-vulnerability-bitdefender-antivirus-free-va-8604\/<\/a><\/p>\n\n\n\n

An Elevation of Privileges (EoP) exists in Bitdefender Antivirus Free 2020 < 1.0.17.178 . The latest version we tested is BitDefender Free Edition 1.0.17.169. The exploitation of this EoP, gives the ability to a low privileged user to gain access as NT AUTHORITY\\SYSTEM . The exploitation has been tested in installation of BitDefender on Windows 10 1909 (OS Build 18363.720) 64bit .<\/p>\n\n\n\n

Description<\/strong><\/h1>\n\n\n\n

The exploitation allows any local, low privileged user, to change the Discretionary Access Control List (DACL) of any chosen file. The access you obtain depends on which file you are going to backdoor\/overwrite. In the Proof of Concept (PoC) we overwrite the file system32\/wermgr.exe and we pop a cmd.exe running as NT AUTHORITY\\SYSTEM . The exploitation works with the default installation of BitDefender. When the BitDefender detects a threat, it gives the ability to the user to choose what action to take. The user can choose to Quarantine the threat. After the threat has been placed in Quarantine, the user can choose to restore it. The problem arises because the BitDefeder restores the file as NT AUTHORITY\\SYSTEM and without impersonating the current user. This allows the user to create a symlink and restore the file to an arbitrary location or overwrite files which are running as SYSTEM.<\/p>\n\n\n\n

Exploitation<\/strong><\/h1>\n\n\n\n
  1. Put an EICAR file (or any other file which can be detected as a threat) under an empty folder which you fully control. For example, put an EICAR file to C:\\Users\\Public\\Music<\/li>
  2. Scan the EICAR file (e.g C:\\Users\\Public\\Music\\eicar.txt) with the BitDefender.<\/li>
  3. When the BitDefender detects the threat, choose to Quarantine the file.<\/li>
  4. Give some time to the BitDefender and rename the folder C:\\Users\\Public\\Music to C:\\Users\\Public\\Music2 .<\/li>
  5. Create the symlink C:\\Users\\Public\\Music\\eicar.txt (e.g with the CreateSymlink.exe from symboliclink-testing-tools of project zero) and target the file you wish to control. For example CreateSymlink.exe C:\\Users\\Public\\Music\\eicar.txt c:\\windows\\system32\\wermgr.exe .<\/li>
  6. Add the c:\\windows\\system32\\wermgr.exe to the exception list of BitDefender.<\/li>
  7. Go back to BitDefender and restore the C:\\Users\\Public\\Music\\eicar.txt . The first time it may fail. Click restore again.<\/li>
  8. The BitDefender, running as NT AUTHORITY\\SYSTEM, will follow the symlink and will overwrite the file c:\\windows\\system32\\wermgr.exe .<\/li>
  9. The c:\\windows\\system32\\wermgr.exe will have a new DACL, which gives your user full access. You can overwrite the file with anything you wish.<\/li><\/ol>\n\n\n\n

    Video PoC Step By Step<\/strong><\/h1>\n\n\n\n
    \n