CVE-2019-12750: Symantec Endpoint Protection Local Privilege Escalation – Part 1
A malicious application can take advantage of a vulnerability in Symantec Endpoint Protection to leak privileged information and/or execute code with higher privileges, thus taking full control over the affected host. Products Affected
Symantec Endpoint Protection Small Business Edition v12.x < 12.1 (RU6 MP10c)
Introduction
A few months ago, while looking for a local privilege escalation vulnerability in the latest version of Symantec Endpoint Protection (SEP v14.2 Build 2486) software, we encountered a vulnerability that was hidden for several years.
In addition, the latest security updates around the kernel pool allocations that were introduced in Windows 10 v1809 gave us the opportunity to implement a different approach in order to successfully exploit this vulnerability in the latest version currently available; v1909.
Since the two approaches we used are quite different between them, we decided to split this write-up into two parts.
In the first part, we will be discussing the actual bug and how we took advantage of it in earlier Windows versions, Windows 7 to 10 v1803, without additional kernel mode execution control requirements.
In the second part, we will go through a more sophisticated approach that required further analysis of the vulnerable products due to the newly introduced Low Fragmentation Heap (LFH) for kernel mode pool allocations, in Windows 10 v1809 onwards, which broke the first exploitation method. This was necessary in order to obtain code execution in kernel mode while bypassing additional exploitation mitigations such as SMEP and KASLR.
11.Insecure distribution of credentials - When you register in any website or you request for a password reset using forgot password feature, if the website sends your username and password over the email in cleartext without sending the password reset link, then it is a vulnerability.