Symantec addressed a local privilege escalation flaw that affects all Symantec Endpoint Protection client versions prior to 14.2 RU2.

Symantec addressed a local privilege escalation flaw, tracked as CVE-2019-12758, that affects all Symantec Endpoint Protection client versions prior to 14.2 RU2. The vulnerability could be exploited by attackers to escalate privileges on target devices and carry out malicious actions, including the execution of malicious code with SYSTEM privileges.

The issue is similar to other vulnerabilities discovered by researchers from SafeBreach Labs in other antivirus solutions from several security vendors, including McAfee, Trend Micro, Check Point, Bitdefender, AVG and Avast.

The flaws could allow attackers to bypass the self-defense mechanism of the antivirus solutions and deliver persisten t malicious payloads.

Like other DLL hijacking issues in security solutions, the Symantec Endpoint Protection LPE flaws could be exploited only by attackers with Administrator privileges.

“This vulnerability could have been used in order to bypass Symantec’s Self-Defense mechanism and achieve defense evasion, persistence and privilege escalation by loading an arbitrary unsigned DLL into a process which is signed by Symantec and that runs as NT AUTHORITY\SYSTEM.” reads the advisory published by SafeBreach. “

“we found a service (SepMasterService) of the Symantec Endpoint Protection which is running as signed process and as NT AUTHORITY\SYSTEM, which is trying to load the following DLL which doesn’t exist: c:\Windows\SysWOW64\wbem\DSPARSE.dll”

In the case of the Symantec Endpoint Protection experts discovered a service called SepMasterService, which is running as signed process and as NT AUTHORITY\SYSTEM, attempts to load a DLL from the following patch: c:\Windows\SysWOW64\wbem\DSPARSE.dll

The researchers tested the flaw by compiling a 32-bit Proxy DLL (unsigned) out of the original dsparse.dll DLL file, which writes the name of the process which loaded it, the username which executed it and the name of the DLL file. Then the experts implanted it in C:\Windows\SysWow64\Wbem , and restarted the computer:

“We were able to load an arbitrary Proxy DLL (which loaded another arbitrary DLL) and execute our code within a service’s process which is signed by Symantec Corporation as NT AUTHORITY\SYSTEM, resulting in bypassing the self-defense mechanism of the program.” continues the analysis.

“There are two root causes for this vulnerability:

No digital signature validation is made against the binary. The program does not validate whether the DLL that it is loading is signed (for example, using the WinVerifyTrust function). Therefore, it can load an arbitrary unsigned DLL.

The fastprox.dll library is trying to import the dsparse.dll from it’s current working directory (CWD), which is C:\Windows\SysWow64\Wbem, while the file is actually located in the SysWow64 folder.”

Symantec addressed the flaw with the release of the Symantec Endpoint Protection 14.2 RU2 on October 22, 2019.

“The vulnerability gives attackers the ability to load and execute malicious payloads in a persistent way, each time the services are being loaded. That means that once the attacker drops a malicious DLL, the services will load the malicious code each time it is restarted.” concludes SafeBreach.

Pierluigi Paganini

(SecurityAffairs – Symantec Endpoint Protection, hacking)