We then demonstrate how this vulnerability can be exploited to achieve arbitrary code execution within the context of a Symantec service, gaining access with NT AUTHORITY\SYSTEM level privileges.
In this post, we describe the vulnerability we found in the Symantec Endpoint Protection software.
Multiple parts of the software run as a Windows service executed as “NT AUTHORITY\SYSTEM,” which provides it with very powerful permissions. It was developed by Symantec and has the largest market-share of any product for endpoint security. Symantec Endpoint Protection is a security software suite, consisting of anti-malware, intrusion prevention and firewall features for server and desktop computers. Note: In order to exploit this vulnerability the attacker needs to have Administrator privileges. In this post, we will demonstrate how this vulnerability could have been used in order to bypass Symantec’s Self-Defense mechanism and achieve defense evasion, persistence and privilege escalation by loading an arbitrary unsigned DLL into a process which is signed by Symantec and that runs as NT AUTHORITY\SYSTEM. SafeBreach Labs discovered a new vulnerability in Symantec Endpoint Protection software.
0 kommentar(er)
