Sources: Experts discovered DLL hijacking issues in Kaspersky and Trend Micro solutions | Security affairs |Pierluigi Paganini
Researchers from SafeBreach discovered several vulnerabilities in Kaspersky Secure Connection, Trend Micro Maximum Security, and Autodesk Desktop Application products that could be exploited by hackers for DLL preloading, code execution, and privilege escalation.
The first issue in Kaspersky Secure Connection (KSDE) VPN client, tracked as CVE-2019-15689, could be exploited by an attacker to implant and run an arbitrary unsigned executable.
SafeBreach researchers found over the past months similar DLL hijacking flaws affecting security solutions from McAfee, Symantec, Avast and Avira. In the above solutions, privileged processes were attempting to load libraries that are not present at the expected location, allowing the attackers to place their own libraries and get them executed.
In all the cases, the privileged processes were not implementing any signature verification against the loaded DLL.
Experts pointed out that the KSDE is a signed service that starts automatically at system boot up and which runs as SYSTEM. The service attempts to load multiple missing DLLs and an attacker with administrative privileges could load its own malicious library with SYSTEM privileges within the context of ksde.exe.
Experts noticed that the process attempts to load the library using only the filename and not an absolute path, by executing its library the attacker could execute arbitrary code within the signed Kaspersky process.
“this vulnerability could have been exploited by an attacker during a post-exploitation phase in order to achieve signed code execution, persistence and in some cases defense evasion. This vulnerability may have allowed attackers to implant an arbitrary unsigned executable, executed by a signed service that runs as NT AUTHORITYSYSTEM.” reads the post published by the experts. “Using the CVE-2019-15689 vulnerability, we were able to load an arbitrary DLL file which was signed by AO Kaspersky Lab and run as NT AUTHORITYSYSTEM. Our code was executed within ksde.exe, “
The researchers tested the flaw by compiling an x86 unsigned arbitrary DLL out of the original ckahum.dll DLL file, which writes the name of the process which loaded it, the username which executed it and the name of the DLL file. Then the experts implanted it in C:WindowsSysWow64Wbem, and restarted the computer:
Experts also discovered a similar issue in, tracked as CVE-2019-7365, that attempts to load a missing DLL file, from different directories within the PATH environment variable.
“this vulnerability could be used in order to achieve privilege escalation and persistence by loading an arbitrary unsigned DLL into a service that runs as NT AUTHORITYSYSTEM.” reads the post.
Experts also reported a DLL hijacking flaw, tracked as CVE-2019-15628, affecting the Trend Micro Maximum Security product, this issue could be exploited to achieve defense evasion, self-defense bypass, persistence and in some cases privilege escalation by loading an arbitrary unsigned DLL into multiple services that run as NT AUTHORITYSYSTEM.
Experts discovered that some parts of the software run as non-PPL processes, thus allowing an attacker to load unsigned code, because the CIG (Code Integrity Guard) mechanism is not enforced.
The vulnerability allows attackers to escalate privileges, a regular user could write the missing DLL file and achieve code execution as NT AUTHORITYSYSTEM.
“On our VM, Python 2.7 is installed. The c:python27 has an ACL which allows any authenticated user to write files onto the ACL. This makes privilege escalation simple, allowing a regular user to write the missing DLL file and achieve code execution as NT AUTHORITYSYSTEM.” reads the analysis.