As for example the following steps will force SEP to create the log file under the Whenever Symantec Endpoint Protection (SEP) performs a scan, it uses high privileges in order to create a log file under the folderĬ:\Users\user\AppData\Local\Symantec\Symantec Endpoint Protection\Logs\Īn attacker can create a SymLink in order to write this file anywhere in the system. We chose to create a bat file in the Users Startup folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\backdoor.bat because we believe it is a good opportunity to present an interesting method we used, in order to bypass restrictions of this arbitrary write where we could control only partially the content. The attacker partially controls the content of the file. The exploitation of this EoP, gives the ability to a low privileged user to create a file anywhere in the system. The latest version we tested is SEP Version 14(14.2 RU2 MP1) build 5569 (.2100). Known to Neurosoft’s RedyOps Labs since: Īn Elevation of Privilege (EoP) exists in SEP 14.2 RU2. Assigned CVE: CVE-2020-5837 has been assigned and RedyOps Labs has been publicly acknowledged by the vendor.
0 kommentar(er)
