This will trigger the scan and a log entry with the injected command will be created. With symbolic links, we can write log files in other file formats which can lead to an EoP.Īn easy way to inject code in the log files, is by naming a malicious file toĪnd scan it.
The log files contain data which are partially controlled by the attacker, allowing commands to be injected into the log files. Depending on the day you exploit, you have to choose the right name.ĬreateSymlink is opensource and can be found in the following URL: . Note: The file 12222019.Log is in format mmddyyyy.log.
Delete the “Logs” sub folder (Shift+Delete) from the “C:\Users\attacker\AppData\Local\Symantec\Symantec Endpoint Protection\” folder.ĬreateSymlink.exe "C:\Users\attacker\AppData\Local\Symantec\Symantec Endpoint Protection\Logs\12222019.Log" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\backdoor.bat". “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\backdoor.bat” As for example the following steps will force SEP to create the log file under the Whenever Symantec Endpoint Protection (SEP) performs a scan, it uses high privileges in order to create a log file under the folderĬ:\Users\user\AppData\Local\Symantec\Symantec Endpoint Protection\Logs\Īn attacker can create a SymLink in order to write this file anywhere in the system. We chose to create a bat file in the Users Startup folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\backdoor.bat because we believe it is a good opportunity to present an interesting method we used, in order to bypass restrictions of this arbitrary write where we could control only partially the content. The attacker partially controls the content of the file. The exploitation of this EoP, gives the ability to a low privileged user to create a file anywhere in the system. The latest version we tested is SEP Version 14(14.2 RU2 MP1) build 5569 (.2100). Known to Neurosoft’s RedyOps Labs since: Īn Elevation of Privilege (EoP) exists in SEP 14.2 RU2. Assigned CVE: CVE-2020-5837 has been assigned and RedyOps Labs has been publicly acknowledged by the vendor.
0 kommentar(er)
