![]() ![]() ![]() Any single user can create any folder under the C:\ drive. In the remote system, the folder c:\TEMP\Clt-Inst\ is being created and a variety of actions are being performed as SYSTEM.Īny user with low privileges has full access in the new folders which are being created under the C:\ drive, by default.By providing the credentials of a user who has Administrative rights on the remote machine (local Administrator, Domain Admin, etc), the SEPM connects to the remote system in order to install the client.Whenever Symantec Endpoint Protection Manager (SEPM) performs a client installation with remote push (Symantec Endpoint Protection Manager->Clients->Install a Client->Next->Next->Remote Push), the following actions are happening: Moreover, the installation uses the C:\TEMP folder, which the user fully controls and thus further attacks with symlinks seem to be possible. By altering the command line, the attacker can execute any chosen file. The attacker controls the file vpremote.dat which is used in order to provide the command line for the execution of the setup. The attacker escalates privileges, not in the machine which has the SEPM installed, but in the machine which we are going to remotely push (install) the SEP in. The exploitation can take place the moment where a remote installation of the SEP is happening. The exploitation of this EoP, gives the ability to a low privileged user to execute any file as SYSTEM. The latest version we tested is SEPM Version 14 (14.2 RU2 MP1) build 5569 (.2100). ![]() Known to Neurosoft’s RedyOps Labs since: Īn Elevation of Privilege (EoP) exists in SEPM 14.2 RU2 MP1. Assigned CVE: CVE-2020-5835 has been assigned and RedyOps Labs has been publicly acknowledged by the vendor. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |