<<< Date Index >>>     <<< Thread Index >>>

Re: SEPKILL /im SMC.EXE /f



Privilege Escalation attack

POC:

::Save the following as a batch file and execute it.
:here
taskkill /im smcgui.exe /f
goto :here

Now since the smcgui.exe is running in the user account, It will not be denied access to. When the batch file is running, Open the file "c:\Program Files\Symantec\Symantec Endpoint Protection\symcorpui.exe" Even if the password has been set or the administrator has disabled the user to open the GUI, All the conditions will be bypassed. And as I said before, The Help and Support > Troubleshooting will show the server as offline for the client and the NTP will not be visible if its installed.

Thank you.

Regads, Sandeep




--------------------------------------------------
From: "Sandeep Cheema" <51l3n7@xxxxxxx>
Sent: Thursday, February 19, 2009 12:50 PM
To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Re: SEPKILL /im SMC.EXE /f

Please note the following. I have reported this to Symantec at
https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&thread.id=25786&view=by_date_ascending&page=2




Symantec,



I have reported the second part of this to bugtraq, The first part I will in some time, Once I am done with this thread. The part before that is what this thread looks to be about.



1)



POC:



::Save the following as a batch file and execute it.

:here

taskkill /im smcgui.exe /f

goto :here



Its mainly bruteforcing the icon not to appear in the taskbar but doing more than that. The communication with the manager is lost(Though with smc.exe running under system account) and NTP is over and out from the SEP client console while this is running.



POC:



With the batch file running, Open the following executable which is the GUI(Not Icon) for SEP

"c:\Program Files\Symantec\Symantec Endpoint Protection\symcorpui.exe"



If you have NTP installed, It would not be there and if you only have the NTP installed, It will say "No Problems detected- No protection technology is installed" and nothing in that board. If you go to help and support > Troubleshooting. The server is offline for the client.







All this might be purely cosmetic but guess there's time to get that patched up before mp2 rolls out.





2)



When the following command line is executed



"c:\program files\symantec\symantec endpoint protection\smcgui.exe" ~



The error is thrown as below which lasts for a split second.



"Serious problem reading transaction from pipe - probable loss of synchonisation a and GetlastError return 6"



http://www.postimage.org/image.php?v=aV2in8dJ



and if executed in a batch file in the following way.



POC:



::Save the following as a batch file and execute it.

:here

"c:\program files\symantec\symantec endpoint protection\smcgui.exe" ~

goto :here





and run the filemon with the filter as smc.exe, Whenever it tries to access the smcgui.exe. There is a "Buffer Overflow" detected. As I have said at bugtrax as well, I am not sure if the buffer overflow has happened or averted but its all very interesting.





Regards, Sandeep Cheema















Message Edited by S1l3nc3 pl3as3 on 02-18-2009 11:09 PM
Message Edited by S1l3nc3 pl3as3 on 02-18-2009 11:15 PM

--------------------------------------------------
From: "Sandeep Cheema" <51l3n7@xxxxxxx>
Sent: Wednesday, February 18, 2009 1:54 PM
To: "Sandeep Cheema" <51l3n7@xxxxxxx>; "Jon Kloske" <jon@xxxxxxxxx>
Cc: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Re: SEPKILL /im SMC.EXE /f

In fact looks like Symantec has inherited the bug from Sygate. The original one looks to be patched up though but on similar lines.

http://seclists.org/bugtraq/2005/Dec/0249.html

Thank you.

Regards, Sandeep

--------------------------------------------------
From: "Sandeep Cheema" <51l3n7@xxxxxxx>
Sent: Wednesday, February 18, 2009 1:48 PM
To: "Jon Kloske" <jon@xxxxxxxxx>
Cc: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Re: SEPKILL /im SMC.EXE /f

Hi Jon,

Probably there has been some confusion.

The smc.exe -p ~ was a different thread and drwtsn32 was a different one
with different subject lines.

Anyway. This is what my new findings are in continuation with the tilde.

On executing the following command line
"%programfiles%\symantec\symantec endpoint protection\smcgui.exe" ~
The attached error is thrown by the SMGUI.exe which lasts for a split
second.

"Serious problem reading transaction from pipe - probable loss of
synchonisation a and GetlastError return 6"


When the following batch file is run

:here
"%programfiles%\symantec\symantec endpoint protection\smcgui.exe" ~
goto :here

and the filemon is run along with it with the filter as smcgui.exe, Whenever the smc.exe tries to access smcgui.exe there is a "Buffer Overflow", I am
not sure if the buffer overflow actually has happened or it has been
avoided.

The recordings are from limited user and admin account and have the same
result.

Also. Worth noting is that once the command is executed then the same
behavior(error) is noted with any parameter passed to smcgui.exe

For example :  "%programfiles%\symantec\symantec endpoint
protection\smcgui.exe" test
The same is the case with smc.exe when used with -p

Which indicates that the buffer overflow has happened but I am not entirely
sure about it.

Thank you.

Regards, Sandeep




--------------------------------------------------
From: "Jon Kloske" <jon@xxxxxxxxx>
Sent: Monday, February 16, 2009 6:53 AM
To: "David Calabro" <dcalabro@xxxxxxxxxxxxxxxxxxxx>; "Sandeep Cheema"
<51l3n7@xxxxxxx>
Cc: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: SEPKILL /im SMC.EXE /f

Hi David and Sandeep,

Perhaps I'm missing something, but everything you're saying I either
can't reproduce on my test systems or requires administrator privileges
anyway, at which point crashing smc is the least of your problems.


If the Symantec Management Client service was somehow changed from
"smc.exe" to "smc.exe -P" it would effectively prevent the service
from
starting in the first place. Correct?

What are you trying to target with this?

If you can change that portion of the registry, why not replace smc.exe
with "del c:\*.* /q /s /f" or "maliciousprogram.exe" or whatever?


>>> You can kill smc.exe with the help of drwtsn32.exe in the
following
way.
>>>
>>> drwtsn32 -p %pid%
>>> where pid is the process id for smc.exe

There's nothing remarkable about this at all. If you tell Dr Watson to
debug any process id, it's going to end the process. Or at least it did
to half a dozen applications I tested it on :)

Then again, you need administrator privs for this, so really, the same
argument here applies as above. If you have this level of access, why
not just use your administrator privileges more directly instead of
trying to find some pointlessly circumspect method.

I'm not saying you aren't on to something - there does appear to be some
limited amount of instability in the smc.exe binary possibly to do with
paramter validation or parsing or something - but I just can't see at
this stage how it's useful, given that I've been unable to get any of
these problems to affect the actual antivirus process running in the
system account (that's the one that does the actual work), without
administrator privileges (and then as indicated, it's not much of an
exploit if it requires administrative privileges to pull off.)

Regards,
Jon.