![]() Affected Symantec EP versions, implications The protection mechanism of the Symantec program was therefore bypassed. And the proxy DLLs and subsequent DLLs were loaded, the code of the DLLs was then executed within the Symantec service process as NT AUTHORITY\SYSTEM. I recently reported this in the blog post McAfee patches vulnerability in antivirus products.Īlso with this attack the security researchers wrote a 32-bit proxy DLL, which writes certain parameters into a text file when called and logs the calls.Īs expected, an arbitrary proxy DLL could be loaded (which could load another arbitrary DLL) into the above mentioned folder. Hadar's security researchers had already successfully used this attack method with McAfee Total Protection (MTP), McAfee Anti-Virus Plus (AVP), and McAfee Internet Security (MIS). Normally, an administrator should therefore also be denied the right to save a non-existent DLL in the above folder in order to load it into Symantec's processes. This is especially true because the Symantec Endpoint Protection software folders are protected by a mini-filter file system driver that even restricts write operations by an administrator. ![]() This would bypass the self-defence mechanism of the antivirus software. But if it works to load the own file DSPARSE.dll from the above mentioned folder by the service SepMasterService, the attack would be successful. Administrator privileges are required for this. They created their own file DSPARSE.dll and placed it in the folder. That's a possible point of attack the security researchers used for an attack. Security researchers have found that this service attempts to load the non-existent DLL listed below: ![]() Several components of the software run as a Windows service, which is executed as "NT AUTHORITY\SYSTEM" and has corresponding authorizations.ĭuring an analysis, the security team encountered a service (SepMasterService) that belongs to Symantec Endpoint Protection and runs as a signed process and as NT AUTHORITY\SYSTEM. ![]() Security researcher Peleg Hadar of SafeBreach Labs discovered the vulnerability that received CVE-2019-12758. Local Privilege Escalation vulnerability CVE-2019-12758 Symantec Endpoint Protection is a suite of security solutions that includes intrusion prevention, firewall, data loss prevention, and anti-malware capabilities for desktop and server computers. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |