Symantec Endpoint Protection vulnerabilities enable privilege escalation
The vulnerabilities can be exploited to escalate privileges, perhaps resulting in a complete Windows domain takeover.
It seems even security software needs security these days – on Tuesday, researchers with Offensive Security announced that they discovered vulnerabilities in Symantec Endpoint Protection (SEP) that can enable escalation of privileges.
A Symantec spokesperson told SCMagazine.com on Wednesday that the company is aware of the reported SEP vulnerabilities and is currently investigating the matter.
The vulnerability demonstrated in a video posted on Tuesday exists in SEP software drivers, Mati Aharoni, CEO of Offensive Security, told SCMagazine.com in a Wednesday email correspondence, explaining that default installation of SEP exposes some of the drivers to unsafe inputs that can be exploited.
“An attacker exploiting these vulnerabilities would require the ability to run commands on the targeted system,” Aharoni said. “A malicious local individual would be able to elevate their privileges from a regular or non-privileged user to complete NT AUTHORITY\SYSTEM access on each machine with SEP installed.”
That means that a regular user in the domain could use the vulnerability to gain administrative control of the computer they are working on, or an attacker that has compromised a system under the context of a normal user could escalate to administrative access, Aharoni said.
“Gaining this level of access is often the first step needed for a deeper compromise within an organization,” Aharoni said. “From a penetration testing standpoint, a vulnerability like this most often results in a cascading effect [that] can quickly result in a complete Windows domain takeover.”
Offensive Security will be publishing the code for the privilege escalation exploit in the coming days, which Aharoni said makes carrying out the attack fairly simple. He added that writing the working code was complex, and it will be further reviewed during an Advanced Windows Exploitation course at the upcoming Black Hat 2014 conference.