This can be done by different applications. It is important to note that an administrative user or process must (1) set the directory ACLs to allow access to non-admin user accounts, and (2) modify the system’s PATH variable to include that directory. This makes privilege escalation simple, allowing a regular user to write the missing DLL file and achieve code execution as NT AUTHORITY\SYSTEM. The c:\python27 has an ACL which allows any authenticated user to write files onto the ACL. Stay with us, we will analyze the root cause for trying to load the missing DLL file in the next section of the article. Once executed, the service tries to load the atl110.dll Library (“ATL Module for Windows”) library and we noticed an interesting behavior:Īs you can see, the service was trying to load a missing DLL file from different directories within the PATH environment variable. In our exploration, we found that once the Check Point Device Auxiliary Framework Service (IDAFServerHostService.exe) was started, the IDAFServerHostService.exe signed process was executed as NT AUTHORITY\SYSTEM. This service automatically starts once the computer boots, which means that it’s a potential target for an attacker to be used as a persistence mechanism.The executable of the service is signed by Check Point and if the hacker finds a way to execute code within this process, it can be used as an application whitelisting bypass which can lead to security product evasion.This kind of service might be exposed to a user-to-SYSTEM privilege escalation, which is very useful and powerful to an attacker. It runs as NT AUTHORITY\SYSTEM – the most privileged user account.“Check Point Device Auxiliary Framework” (IDAFServerHostService.exe).“Check Point Endpoint Agent” (CPDA.exe).
In our initial exploration of the software, we targeted the following Check Point services: We then demonstrate how this vulnerability can be exploited to achieve privilege escalation, gaining access with NT AUTHORITY\SYSTEM level privileges.
In this post, we describe the vulnerability we found in the Check Point Endpoint Security Initial Client software for Windows.
Some parts of the software run as a Windows service executed as “NT AUTHORITY\SYSTEM,” which provides it with very powerful permissions. Check Point Endpoint SecurityĬheck Point Endpoint Security includes data security, network security, advanced threat prevention, forensics, and remote access VPN solutions. In this post, we will demonstrate how this vulnerability could be used in order to achieve privilege escalation and persistence by loading an arbitrary unsigned DLL into a service that runs as NT AUTHORITY\SYSTEM. SafeBreach Labs discovered a new vulnerability in Check Point Endpoint Security Initial Client software for Windows.
0 kommentar(er)
