Rene Millman | SC Magazine UK | www.scmagazineuk.com
Security firm moves to patch flaw in Endpoint Security Initial Client software for Windows
Check Point Software has patched a flaw found in its Endpoint Security Initial Client software for Windows enabling hackers to escalate privileges and run code.
According to a blog post by Peleg Hadar, security researcher at SafeBreach Labs, the flaw could be used in order to achieve privilege escalation and persistence by loading an arbitrary unsigned DLL into a service that runs as NT AUTHORITY\SYSTEM.
The software run as a Windows service executed as “NT AUTHORITY\SYSTEM,” which provides it with very powerful permissions, according to Hadar.
“This kind of service might be exposed to a user-to-SYSTEM privilege escalation, which is very useful and powerful to an attacker,” he said.
The issue is found in the the Check Point Device Auxiliary Framework Service — one of the services used by the targeted software that runs with SYSTEM privileges and with an executable signed by Check Point.
“Once executed, the service tries to load the atl110.dll Library (“ATL Module for Windows”) library and we noticed an interesting behaviour,” said Hadar. “The service was trying to load a missing DLL file from different directories within the PATH environment variable.”
In a virtual machine, Python 2.7 is installed. “The c:\python27 has an ACL which allows any authenticated user to write files onto the ACL. This makes privilege escalation simple, allowing a regular user to write the missing DLL file and achieve code execution as NT AUTHORITY\SYSTEM,” said Hadar.
Hadar said there were two root causes for this vulnerability. The first is the lack of safe DLL loading due to having an uncontrolled search path.
“In this case, it is necessary to use the SetDefaultDllDirectoriesfunction in order to control the paths from which a DLL can be loaded within the scope of the executable,” he said.
There was also no digital certificate validation made against the binary. “The program does not validate whether the DLL that it is loading is signed (for example, using the WinVerifyTrust function). Therefore, it can load an arbitrary unsigned DLL.”
This meant that an attack could have the ability to load and execute malicious payloads using a signed service. This ability might be abused by an attacker, for example to achieve Application Whitelisting Bypass for purposes such as execution and evasion. Hackers could also load and execute malicious payloads in a persistent way, each time the service is loaded.
Since the discovery of the flaw Check Point has patched it the release of Endpoint Security Initial Client for Windows version E81.30.
Todd Peterson, IAM evangelist at One Identity, told SC Media UK patching this vulnerability is key to mitigating the problem.
“In addition, by using Privileged Session Management (PSM) to strategically limit command or application execution to only those necessary for given tasks or more tactically block critical commands and channels on the fly, organisations can minimise their risks of attackers gaining access,” he said.
“Long term, you can combine your PSM with Privileged Account Analytics which detect anomalies in the privileged users’ behaviour. This helps to not only provide a baseline for what constitutes ‘normal’ activity, but also allows for visibility and action against unexpected deviations from the baseline.”
Peter Draper, technical director EMEA at Gurucul, told SC Media UK that this is another example of the possibilities for point security controls to be bypassed or fooled.
“There have been other vendors in a similar situation recently, such as Cylance. All of which adds more weight to the requirement for in depth defence and for centralised monitoring of logs from as many systems as possible, including network traffic, user behaviour and more. Using machine learning algorithms to correlate events and provide additional context to drive machine speed responses to the wide range of threats in today’s connected world,” he said.