The key features of this software include network threat protection to stop threats in the network itself before coming to your machine, insight reputation scoring detects Symantec Endpoint Protection, also known as Symantec Anti-Virus. The software is designed to protect against advanced threats with powerful, layered protection backed by industry-leading security intelligence. In May 2018, Symantec.Symantec Endpoint Protection is the software basically developed for Windows platform users. Symantec Endpoint Application Control enables you to lock down fixed-function devices, e.g., ATMs, Kiosks, POS devices to a known baseline of applications by: Enforcing a default-deny mode where only an approved list of apps can run Restricting updates to defined trusted updater mechanisms Continuous monitoring to detect and alert on any drift Easy Deployment and Management Using the A malicious application can take advantage of a vulnerability in Symantec Endpoint Protection to leak privileged information and/or execute code with higher privileges, thus taking full control over the affected host.On January 4, 2018, Symantec and BT (formerly British Telecom) announced their partnership that provides new endpoint security protection.
![]() Symantec Endpoint Protection 14 Lock Up Series Of InputCall IoAllocateMdl to allocate a memory descriptor list for that buffer. Call ExAllocatePool to allocate a buffer of 0x14 bytes in size in Paged Pool. In particular, by examining one of the subroutines that are executed during this IOCTL request, we see that the following steps take place: In this case we are interested at IOCTL 0x222014 that is sent to the ‘SysPlant.sys’ kernel driver.During the handling of this request, a programming mistake allows a malicious attacker to leak and corrupt kernel mode data. Symantec Endpoint Protection – Vulnerability AnalysisWhen a new process is created, SEP injects a DLL module named ‘sysfer.dll’ that makes a series of input-output control (IOCTL) requests once it’s loaded. This was necessary in order to obtain code execution in kernel mode while bypassing additional exploitation mitigations such as SMEP and KASLR.This means that by mapping this pool chunk in user mode, we also leak the rest of the memory page. However, when a buffer is mapped the entire memory page where the buffer range applies is also mapped.In this case, the buffer allocates a very small chunk that occupies in total 0x30 bytes (buffer size + pool header + alignment padding). Call MmMapLockedPagesSpecifyCache to map those pages into another virtual address range (Figure 1).Figure 1 – Mapping Paged Pool Chunk in User ModeThe last one of the steps described above maps that pool chunk in user mode in the context of the calling process.Otherwise, any new data written to that buffer will also be leaked in userland.As for the fact that the mapping of the kernel mode buffer should also be read-only, from Windows 8 onwards, the MdlMappingNoWrite flag can be used when calling the MmMapLockedPagesSpecifyCache function.The first parameter passed to MmMapLockedPagesSpecifyCache is a pointer to an MDL structure that was allocated in the second step, as described above.We are interested in the three highlighted members of this structure: This buffer must be sanitized (filled with zeros) before any mapping occurs.As a side note, the kernel mode buffer should not be freed while it’s still mapped in user address space. Any modification applied to the userland mapped memory page, will be reflected to original kernel mode memory page.In order to mitigate the information leakage, the driver should allocate a kernel mode buffer that is of size multiple to the size of the memory page used by the system – usually 4KBs. By default the memory page is mapped as writable, which also enables a user mode process to modify its contents.
Symantec Endpoint Protection 14 Lock Up Code With HigherSymantec Endpoint Protection 14 Lock Up Software Include NetworkHowever, the system maps the entire memory page and not just the desired pool chunk, as showing below (Figures 3, 4).This was a good finding in the first place, but we wanted to do something more with it, rather than just disclosing paged pool memory in userland.Note that this works only once per process during the modules loading stage. ByteOffset – Starting Offset of the buffer inside the memory pageThe intention of the developer was to map that small buffer of 0x14 bytes of size into the user mode address space of the calling process. ByteCount – Size of the buffer described by the MDL How to download desmume emulatorYes, these are paged-pool objects, and now we own them.Note that, the leaked memory pages do not necessarily contain object allocations associated with the calling process. So for this part, we will focus on Win 10 v1803.Since we can only leak only one paged pool memory page per process, and different processes might as well leak the same page (if there are free chunks were more than one of 0x30 bytes chucks can fit), we started by launching a bunch of processes.Each process uses the aforementioned IOCTL to get the base address of the mapped page in userland and save that data in a file for further investigation.After creating a few processes, ‘magic’ started to happen.We noticed that occasionally, we were able to leak Token Objects, a well-known target for kernel LPE exploits. This will also help us appreciate during the second part, how LFH applied for kernel pool allocations affected our exploit in the latest Win 10 versions. Exploitation (Win 7 – Win 10 v1803)In the first part of the exploitation write-up we will focus on Windows versions prior to Win 10 v1809. However, by re-using the same IOCTL from our own function, once our process has been initialized, we can find the userland address where that chunk is mapped.By knowing that, we can also find the base address in userland of that specific page by masking the last two bytes (VA & 0xFFFFF000), assuming page allocation granularity is 4KBs.Once we have that information, we can parse the mapped page to find information and interesting objects that we can use to exploit this further. Whatever the result is, the process will just wait afterwards indefinitely.The more processes being created, the more Token Objects we will have allocated, and so eventually we will start leaking those in a writable usermode-mapped kernel page.At this point we don’t know to which process each object belongs, and so we must keep a list of the process handles. We need this to ensure that the associated token objects do not get freed.In a few words, every child process will examine the leaked kernel memory page that is mapped in its address space and look for a leaked Token Object. Token Object Playground – First MethodSince every process has its own Token Object, we can start creating many processes which every time would be put in a ‘wait’ state. That being said, the leaked Token Object does not necessarily belong to the calling process, and in fact usually it will not.However, since we know that this interesting object type can be occasionally find itself inside a leaked page pool memory page, we need to find a way to take advantage of this situation. Alternatively, we can use the ImpersonateLoggedOnUser function to allow the calling thread of our exploit to use the elevated token privileges directly.Once we have created a few thousand clones of our primary token, we can then fall back to the first method described above.Again, we start creating child processes where each of these will examine the leaked kernel page mapped in its own address space and search for Token Objects to modify (see Figure 5).Finally, we can go through our token clones list and use GetTokenInformation with the TokenPrivileges TOKEN_INFORMATION_CLASS and search for an instance that has privileges that only an elevated process can have, such as the “SeDebugPrivilege”. This function also allows us to specify that each clone will be a primary token which we can later use through the CreateProcessAsUser function. Token Object Playground – Second MethodSince our first objective is to leak as many Token Objects as possible, it makes sense that the more of these are allocated, the greater the chances are that an allocated 0x30 bytes chunk will find itself in the same memory page.We can achieve this by using the DuplicateTokenEx function to create clones of the primary token of our exploit process.
0 Comments
Leave a Reply. |
AuthorMadari ArchivesCategories |