DDE_Server

Level 7
A vulnerability in the free version of Bitdefender Antivirus could be exploited by an attacker to get SYSTEM-level permissions, reserved for the most privileged account on a Windows machine.

Privilege escalation vulnerabilities are used in a later stage of an attack, after the threat actor already compromised the target host and needs elevated permissions to establish persistence or execute code with the privileges of the most powerful user.

Looking for missing DLL
Identified as CVE-2019-15295, the vulnerability is owed to lack of verification that loaded binaries are signed and come from a trusted location.

Peleg Hadar of SafeBreach Labs says that Bitdefender's security service (vsserv.exe) and the updater service (updatesrv.exe) started as signed processes with SYSTEM authority.

However, they tried to load a missing DLL file ('RestartWatchDog.dll') from various locations in the PATH environment variable.


One of the locations is 'c:/python27,' which comes with an access control list (ACL) open to any authenticated user. This makes privilege escalation trivial because a user to normal permissions could write the missing DLL and have it loaded by Bitdefender's signed processes.
Hadar tested the theory with an unsigned DLL that wrote to a text file the name of the process loading it, the name of the user executing it, and the name of the DLL file.

His assumption was confirmed, and his 'RestartWatchDog.dll' file was loaded without a hitch.


The root of the issue is the ServiceInstance.dll library that attempts to load the missing DLL.
SafeBreach disclosed the vulnerability responsibly to Bitdefender on July 17 and on August 14 received validation from the antivirus maker.
On Monday, Bitdefender rolled out a patch for its Antivirus Free 2020 product. Users with an internet connection received the update automatically.

"An Untrusted Search Path vulnerability in the ServiceInstance.dll library versions 1.0.15.119 and lower, as used in Bitdefender Antivirus Free 2020 versions prior to 1.0.15.138, allows an attacker to load an arbitrary DLL file from the search path." reads Bitdefender's advisory
SafeBreach published last week a report on a similar DLL hijacking issue in Trend Micro's Password Manager.
 
Last edited by a moderator:

Mahesh Sudula

Level 16
Verified
Malware Tester
BitDefender Antivirus Free 2020 - Privilege Escalation to SYSTEM

August 21st, 2019
Peleg Hadar
Security Researcher, SafeBreach Labs
Introduction
SafeBreach Labs discovered a new vulnerability in BitDefender Antivirus Free 2020 software.
In this post, we will demonstrate how this vulnerability could be used in order to achieve privilege escalation and persistence by loading an arbitrary unsigned DLL into multiple services that runs as NT AUTHORITY\SYSTEM.
BitDefender Antivirus Free 2020
This is the latest version of the free version of BitDefender’s Antivirus software.
Some parts of the software run as:
a Windows service executed as “NT AUTHORITY\SYSTEM,” which provides it with very powerful permissions.
Non-PPL processes which allows an attacker to load unsigned code, because the CIG (Code Integrity Guard) mechanism is not enforced.
In this post, we describe the vulnerability we found in the BitDefender Antivirus Free 2020.
We then demonstrate how this vulnerability can be exploited to achieve privilege escalation, gaining access with NT AUTHORITY\SYSTEM level privileges.
Discovery
In our initial exploration of the software, we targeted the following BitDefender services:
“BitDefender Security Service” (vsserv.exe)
“BitDefender Updater Service” (updatesrv.exe)
because of the following reasons:
It runs as NT AUTHORITY\SYSTEM - the most privileged user account. This kind of service might be exposed to a user-to-SYSTEM privilege escalation, which is very useful and powerful to an attacker.
The executable of the service is signed by BitDefender and if the hacker finds a way to execute code within this process, it can be used as an application whitelisting bypass which can lead to security product evasion.
This service automatically starts once the computer boots, which means that it’s a potential target for an attacker to be used as a persistence mechanism.
Despite the fact it’s an antivirus, these services are running as non-PPL, which means that CIG (Code Integrity Guard) is not enforced, so unsigned code loading is possible into these processes.
In our exploration, we found that these services were started as signed processes and executed as NT AUTHORITY\SYSTEM.


Once executed, we noticed an interesting behavior:
As you can see, the services were trying to load a missing DLL file from different directories within the PATH environment variable.
Stay with us, we will analyze the root cause for trying to load the missing DLL file in the next section of the article.
PoC Demonstration
In our VM, Python 2.7 is installed. The c:\python27 has an ACL which allows any authenticated user to write files onto the ACL. This makes privilege escalation simple, allowing a regular user to write the missing DLL file and achieve code execution as NT AUTHORITY\SYSTEM.
It is important to note that an administrative user or process must (1) set the directory ACLs to allow access to non-admin user accounts, and (2) modify the system’s PATH variable to include that directory. This can be done by different applications.
In order to test this privilege escalation vulnerability, we compiled an unsigned DLL which writes the following to the filename of a txt file once the DLL is loaded:
The name of the process which loaded it
The username which executed it
The name of the DLL file

We were able to load an arbitrary DLL as a regular user and execute our code within multiple processes which are signed by BitDefender as NT AUTHORITY\SYSTEM.
Root Cause Analysis

Once the “BitDefender Update Service” (updatesrv.exe) and the “BitDefender Security Service” (vsserv.exe) are started, it loads the ServiceInstance.dll library.
The ServiceInstance.dll library tries to load the “RestartWatchDog.dll” library by calling LoadLibraryW.

There are two root causes for this vulnerability:
The lack of safe DLL loading due to having an uncontrolled search path -
In this case, it is necessary to use the SetDefaultDllDirectories / LoadLibraryEx functions in order to control the paths from which a DLL can be loaded within the scope of the executable.
No digital certificate validation is made against the binary. The program does not validate whether the DLL that it is loading is signed (for example, using the WinVerifyTrust function). Therefore, it can load an arbitrary unsigned DLL.
Potential Malicious Uses and Impact
Below we show three possible ways that an attacker can leverage the CVE-2019-15295 vulnerability we discovered and documented above.
Signed Execution and Whitelisting Bypass
The vulnerability gives attackers the ability to load and execute malicious payloads using a signed service. This ability might be abused by an attacker, for example to achieve Application Whitelisting Bypass for purposes such as execution and evasion.
Persistence Mechanism
The vulnerability gives attackers the ability to load and execute malicious payloads in a persistent way, each time the service is loaded. That means that once the attacker drops a malicious DLL in a vulnerable path, the service will load the malicious code each time it is restarted.
Privilege Escalation
After an attacker gains access to a computer, he might have limited privileges which can limit access to certain files and data. The service provides him with the ability to operate as NT AUTHORITY\SYSTEM which is the most powerful user in Windows, so he can access almost every file and process which belongs to the user on the computer.
Affected Versions
BitDefender Antivirus Free 2020
ServiceInstance.dll - 1.0.15.119
Timeline
July 17th, 2019 - Vulnerability Reported
July 17th, 2019 - Initial Response from BitDefender
Aug 14th, 2019 - BitDefender has confirmed the vulnerability
Aug 19th, 2019 - BitDefender has published an advisory[1] and issued CVE-2019-15295
Untrusted Search Path vulnerability in ServiceInstance.dll (Bitdefender Antivirus Free 2020)
Publication date: August 21st, 2019
CVE ID:
CVE-2019-15295
CVSS scrore:
5.9 - Common Vulnerability Scoring System Version 3.0 Calculator
Affected vendors:
Bitdefender
Affected products:
Bitdefender Antivirus Free 2020
Vulnerability details:
An Untrusted Search Path vulnerability in the ServiceInstance.dll library versions 1.0.15.119 and lower, as used in Bitdefender Antivirus Free 2020 versions prior to 1.0.15.138, allows an attacker to load an arbitrary DLL file from the search path.
Additional details:
The issue was resolved in Bitdefender Antivirus Free version 1.0.15.138. Mitigation delivered automatically to affected userbase.
Credit:
Peleg Hadar of SafeBreach Labs
 
Last edited: