August 21st, 2019

Peleg Hadar

Security Researcher, SafeBreach Labs

Introduction

SafeBreach Labs discovered a new vulnerability in BitDefender Antivirus Free 2020 software.

In this post, we will demonstrate how this vulnerability could be used in order to achieve privilege escalation and persistence by loading an arbitrary unsigned DLL into multiple services that runs as NT AUTHORITY\SYSTEM.

BitDefender Antivirus Free 2020

This is the latest version of the free version of BitDefender’s Antivirus software.

Some parts of the software run as:

a Windows service executed as “NT AUTHORITY\SYSTEM,” which provides it with very powerful permissions. Non-PPL processes which allows an attacker to load unsigned code, because the CIG (Code Integrity Guard) mechanism is not enforced.

In this post, we describe the vulnerability we found in the BitDefender Antivirus Free 2020.

We then demonstrate how this vulnerability can be exploited to achieve privilege escalation, gaining access with NT AUTHORITY\SYSTEM level privileges.





Discovery

In our initial exploration of the software, we targeted the following BitDefender services:

“BitDefender Security Service” (vsserv.exe) “BitDefender Updater Service” (updatesrv.exe)

because of the following reasons:

It runs as NT AUTHORITY\SYSTEM - the most privileged user account. This kind of service might be exposed to a user-to-SYSTEM privilege escalation, which is very useful and powerful to an attacker.

The executable of the service is signed by BitDefender and if the hacker finds a way to execute code within this process, it can be used as an application whitelisting bypass which can lead to security product evasion.

This service automatically starts once the computer boots, which means that it’s a potential target for an attacker to be used as a persistence mechanism.

Despite the fact it’s an antivirus, these services are running as non-PPL, which means that CIG (Code Integrity Guard) is not enforced, so unsigned code loading is possible into these processes.

In our exploration, we found that these services were started as signed processes and executed as NT AUTHORITY\SYSTEM.

Once executed, we noticed an interesting behavior:

As you can see, the services were trying to load a missing DLL file from different directories within the PATH environment variable.

Stay with us, we will analyze the root cause for trying to load the missing DLL file in the next section of the article.





PoC Demonstration

In our VM, Python 2.7 is installed. The c:\python27 has an ACL which allows any authenticated user to write files onto the ACL. This makes privilege escalation simple, allowing a regular user to write the missing DLL file and achieve code execution as NT AUTHORITY\SYSTEM.

It is important to note that an administrative user or process must (1) set the directory ACLs to allow access to non-admin user accounts, and (2) modify the system’s PATH variable to include that directory. This can be done by different applications.

In order to test this privilege escalation vulnerability, we compiled an unsigned DLL which writes the following to the filename of a txt file once the DLL is loaded:

The name of the process which loaded it

The username which executed it

The name of the DLL file



We were able to load an arbitrary DLL as a regular user and execute our code within multiple processes which are signed by BitDefender as NT AUTHORITY\SYSTEM.

Root Cause Analysis

Once the “BitDefender Update Service” (updatesrv.exe) and the “BitDefender Security Service” (vsserv.exe) are started, it loads the ServiceInstance.dll library.

The ServiceInstance.dll library tries to load the “RestartWatchDog.dll” library by calling LoadLibraryW.





There are two root causes for this vulnerability:

The lack of safe DLL loading due to having an uncontrolled search path -

In this case, it is necessary to use the SetDefaultDllDirectories / LoadLibraryEx functions in order to control the paths from which a DLL can be loaded within the scope of the executable.

due to having an uncontrolled search path - In this case, it is necessary to use the functions in order to control the paths from which a DLL can be loaded within the scope of the executable. No digital certificate validation is made against the binary. The program does not validate whether the DLL that it is loading is signed (for example, using the WinVerifyTrust function). Therefore, it can load an arbitrary unsigned DLL.

Potential Malicious Uses and Impact

Below we show three possible ways that an attacker can leverage the CVE-2019-15295 vulnerability we discovered and documented above.

Signed Execution and Whitelisting Bypass

The vulnerability gives attackers the ability to load and execute malicious payloads using a signed service. This ability might be abused by an attacker, for example to achieve Application Whitelisting Bypass for purposes such as execution and evasion.

Persistence Mechanism

The vulnerability gives attackers the ability to load and execute malicious payloads in a persistent way, each time the service is loaded. That means that once the attacker drops a malicious DLL in a vulnerable path, the service will load the malicious code each time it is restarted.

Privilege Escalation

After an attacker gains access to a computer, he might have limited privileges which can limit access to certain files and data. The service provides him with the ability to operate as NT AUTHORITY\SYSTEM which is the most powerful user in Windows, so he can access almost every file and process which belongs to the user on the computer.

Affected Versions

BitDefender Antivirus Free 2020

ServiceInstance.dll - 1.0.15.119

Timeline

July 17th, 2019 - Vulnerability Reported

July 17th, 2019 - Initial Response from BitDefender

Aug 14th, 2019 - BitDefender has confirmed the vulnerability

Aug 19th, 2019 - BitDefender has published an advisory[1] and issued CVE-2019-15295

References

Please enable JavaScript to view the comments powered by Disqus.