Symantec Endpoint Protection vulnerabilities enable privilege escalation

Share this article:
Symantec Endpoint Protection vulnerabilities enable privilege escalation
The vulnerabilities can be exploited to escalate privileges, perhaps resulting in a complete Windows domain takeover.

It seems even security software needs security these days – on Tuesday, researchers with Offensive Security announced that they discovered vulnerabilities in Symantec Endpoint Protection (SEP) that can enable escalation of privileges.

A Symantec spokesperson told on Wednesday that the company is aware of the reported SEP vulnerabilities and is currently investigating the matter.

The vulnerability demonstrated in a video posted on Tuesday exists in SEP software drivers, Mati Aharoni, CEO of Offensive Security, told in a Wednesday email correspondence, explaining that default installation of SEP exposes some of the drivers to unsafe inputs that can be exploited.

“An attacker exploiting these vulnerabilities would require the ability to run commands on the targeted system,” Aharoni said. “A malicious local individual would be able to elevate their privileges from a regular or non-privileged user to complete NT AUTHORITY\SYSTEM access on each machine with SEP installed.” 

That means that a regular user in the domain could use the vulnerability to gain administrative control of the computer they are working on, or an attacker that has compromised a system under the context of a normal user could escalate to administrative access, Aharoni said.

“Gaining this level of access is often the first step needed for a deeper compromise within an organization,” Aharoni said. “From a penetration testing standpoint, a vulnerability like this most often results in a cascading effect [that] can quickly result in a complete Windows domain takeover.”

Offensive Security will be publishing the code for the privilege escalation exploit in the coming days, which Aharoni said makes carrying out the attack fairly simple. He added that writing the working code was complex, and it will be further reviewed during an Advanced Windows Exploitation course at the upcoming Black Hat 2014 conference. 

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.