As an update, Keep track of this thread as well. https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&message.id=26289 -------------------------------------------------- From: "Sandeep Cheema" <51l3n7@xxxxxxx> Sent: Friday, February 20, 2009 11:01 AM To: <bugtraq@xxxxxxxxxxxxxxxxx> Subject: Re: SEPKILL /im SMC.EXE /f
Privilege Escalation attack POC: ::Save the following as a batch file and execute it. :here taskkill /im smcgui.exe /f goto :hereNow since the smcgui.exe is running in the user account, It will not be denied access to. When the batch file is running, Open the file "c:\Program Files\Symantec\Symantec Endpoint Protection\symcorpui.exe" Even if the password has been set or the administrator has disabled the user to open the GUI, All the conditions will be bypassed. And as I said before, The Help and Support > Troubleshooting will show the server as offline for the client and the NTP will not be visible if its installed.Thank you. Regads, Sandeep -------------------------------------------------- From: "Sandeep Cheema" <51l3n7@xxxxxxx> Sent: Thursday, February 19, 2009 12:50 PM To: <bugtraq@xxxxxxxxxxxxxxxxx> Subject: Re: SEPKILL /im SMC.EXE /fPlease note the following. I have reported this to Symantec at https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&thread.id=25786&view=by_date_ascending&page=2 Symantec,I have reported the second part of this to bugtraq, The first part I will in some time, Once I am done with this thread. The part before that is what this thread looks to be about.1) POC: ::Save the following as a batch file and execute it. :here taskkill /im smcgui.exe /f goto :hereIts mainly bruteforcing the icon not to appear in the taskbar but doing more than that. The communication with the manager is lost(Though with smc.exe running under system account) and NTP is over and out from the SEP client console while this is running.POC:With the batch file running, Open the following executable which is the GUI(Not Icon) for SEP"c:\Program Files\Symantec\Symantec Endpoint Protection\symcorpui.exe"If you have NTP installed, It would not be there and if you only have the NTP installed, It will say "No Problems detected- No protection technology is installed" and nothing in that board. If you go to help and support > Troubleshooting. The server is offline for the client.All this might be purely cosmetic but guess there's time to get that patched up before mp2 rolls out.2) When the following command line is executed "c:\program files\symantec\symantec endpoint protection\smcgui.exe" ~ The error is thrown as below which lasts for a split second."Serious problem reading transaction from pipe - probable loss of synchonisation a and GetlastError return 6"http://www.postimage.org/image.php?v=aV2in8dJ and if executed in a batch file in the following way. POC: ::Save the following as a batch file and execute it. :here "c:\program files\symantec\symantec endpoint protection\smcgui.exe" ~ goto :hereand run the filemon with the filter as smc.exe, Whenever it tries to access the smcgui.exe. There is a "Buffer Overflow" detected. As I have said at bugtrax as well, I am not sure if the buffer overflow has happened or averted but its all very interesting.Regards, Sandeep Cheema Message Edited by S1l3nc3 pl3as3 on 02-18-2009 11:09 PM Message Edited by S1l3nc3 pl3as3 on 02-18-2009 11:15 PM -------------------------------------------------- From: "Sandeep Cheema" <51l3n7@xxxxxxx> Sent: Wednesday, February 18, 2009 1:54 PM To: "Sandeep Cheema" <51l3n7@xxxxxxx>; "Jon Kloske" <jon@xxxxxxxxx> Cc: <bugtraq@xxxxxxxxxxxxxxxxx> Subject: Re: SEPKILL /im SMC.EXE /fIn fact looks like Symantec has inherited the bug from Sygate. The original one looks to be patched up though but on similar lines.http://seclists.org/bugtraq/2005/Dec/0249.html Thank you. Regards, Sandeep -------------------------------------------------- From: "Sandeep Cheema" <51l3n7@xxxxxxx> Sent: Wednesday, February 18, 2009 1:48 PM To: "Jon Kloske" <jon@xxxxxxxxx> Cc: <bugtraq@xxxxxxxxxxxxxxxxx> Subject: Re: SEPKILL /im SMC.EXE /fHi Jon, Probably there has been some confusion.The smc.exe -p ~ was a different thread and drwtsn32 was a different onewith different subject lines.Anyway. This is what my new findings are in continuation with the tilde.On executing the following command line "%programfiles%\symantec\symantec endpoint protection\smcgui.exe" ~ The attached error is thrown by the SMGUI.exe which lasts for a split second. "Serious problem reading transaction from pipe - probable loss of synchonisation a and GetlastError return 6" When the following batch file is run :here "%programfiles%\symantec\symantec endpoint protection\smcgui.exe" ~ goto :hereand the filemon is run along with it with the filter as smcgui.exe, Whenever the smc.exe tries to access smcgui.exe there is a "Buffer Overflow", I amnot sure if the buffer overflow actually has happened or it has been avoided.The recordings are from limited user and admin account and have the sameresult. Also. Worth noting is that once the command is executed then the same behavior(error) is noted with any parameter passed to smcgui.exe For example : "%programfiles%\symantec\symantec endpoint protection\smcgui.exe" test The same is the case with smc.exe when used with -pWhich indicates that the buffer overflow has happened but I am not entirelysure about it. Thank you. Regards, Sandeep -------------------------------------------------- From: "Jon Kloske" <jon@xxxxxxxxx> Sent: Monday, February 16, 2009 6:53 AM To: "David Calabro" <dcalabro@xxxxxxxxxxxxxxxxxxxx>; "Sandeep Cheema" <51l3n7@xxxxxxx> Cc: <bugtraq@xxxxxxxxxxxxxxxxx> Subject: RE: SEPKILL /im SMC.EXE /fHi David and Sandeep, Perhaps I'm missing something, but everything you're saying I eithercan't reproduce on my test systems or requires administrator privilegesanyway, at which point crashing smc is the least of your problems.If the Symantec Management Client service was somehow changed from "smc.exe" to "smc.exe -P" it would effectively prevent the servicefromstarting in the first place. Correct?What are you trying to target with this?If you can change that portion of the registry, why not replace smc.exewith "del c:\*.* /q /s /f" or "maliciousprogram.exe" or whatever?>>> You can kill smc.exe with the help of drwtsn32.exe in thefollowingway. >>> >>> drwtsn32 -p %pid% >>> where pid is the process id for smc.exeThere's nothing remarkable about this at all. If you tell Dr Watson todebug any process id, it's going to end the process. Or at least it didto half a dozen applications I tested it on :) Then again, you need administrator privs for this, so really, the same argument here applies as above. If you have this level of access, why not just use your administrator privileges more directly instead of trying to find some pointlessly circumspect method.I'm not saying you aren't on to something - there does appear to be some limited amount of instability in the smc.exe binary possibly to do withparamter validation or parsing or something - but I just can't see at this stage how it's useful, given that I've been unable to get any of these problems to affect the actual antivirus process running in the system account (that's the one that does the actual work), without administrator privileges (and then as indicated, it's not much of an exploit if it requires administrative privileges to pull off.) Regards, Jon.