#SYMANTEC ENDPOINT MANAGER LOCAL EXPLOIT DRIVERS#
It additionally interfaces with the approximately 13 different kernel drivers loaded by the application via IO control codes. The ccSvcHst service has a variety of input surfaces, including COM objects (both LocalServer and InprocServer), RPC endpoints, TCP ports, extended service control codes, and others. This privileged service, ccSvcHst, is SEP’s local hivemind and handles the execution of all scanning, configuration, isolation, etc. Nearly all requests are proxied back to ccSvcHst through COM objects for processing. SymCorpUI is the userland GUI used to interface with SEP, inspect policy, start scans, and make changes to the local instance. While there have been some architectural changes since this minor version, they are not substantive enough to change much in the above diagram. AnalysisĪt a high level, SEP’s architecture can be described by the following diagram:Īll analysis was performed using version. This bug was discovered independently by our FusionX R&D team and disclosed to ZDI by z0mb1e in early 2020.
#SYMANTEC ENDPOINT MANAGER LOCAL EXPLOIT PATCH#
Most systems should have automatically patched by now but users are urged to patch immediately. This bug was disclosed via ZDI as ZDI-20-228 and CVE-2020-5825, fixed in version. An arbitrary file move allows users to move files from one controlled location to another, which can be exploited to obtain arbitrary code execution under the SYSTEM context. This can be exploited by unprivileged local users with the ability to execute arbitrary code. A local privilege escalation vulnerability exists in one of the RPC endpoints exposed by a Symantec Endpoint Protection (SEP) userland service.
0 kommentar(er)
