[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n
<\/span> Hardlink attacks become more and more popular on Windows operating systems. A hardlink is just a directory entry that points to an already existing file and redirects certain file operations to the actual target. When privileged processes interact with user controlled parts of the file system, hardlinks can be used to redirect privileged file operations in order to achieve an elevation of privileges. In the most recent versions of Windows, mitigations against hardlink attacks have been implemented. These require write access to the targeted file during link creation and protect from attacks like demonstrated in the following. However, unpatched systems are still vulnerable to this type of attack.<\/span><\/p>\n <\/span><\/p>\n Inside the directory <\/span>C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\14.0.3752.1000.105\\Data\\IPS<\/em>, the Symantec Endpoint Protection service stores several different files. One set of them are of particular interest, since they are modifiable by low privileged user accounts:<\/span><\/p>\n [\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200016-2.png\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"usd20200016-2\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n Despite being modifiable by low privileged users, all the above mentioned files are owned by high privileged users.<\/span><\/p>\n [\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200016-3.png\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"usd20200016-3\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n Since the <\/span>C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\14.0.3752.1000.105\\Data\\IPS<\/em> folder is also writable by low privileged user accounts, it is possible to replace the file <\/span>PEP_RUL.dat.bak<\/em> with a hardlink that points to a different file. In the following example, the <\/span>symboliclink-testing-tools<\/a> of James Forshaw are used to create the hardlink:<\/span><\/p>\n [\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200016-4.png\" title_text=\"usd20200016-4\" _builder_version=\"4.9.4\" _module_preset=\"default\" custom_margin=\"27px||43px||false|false\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n After the hardlink was placed, the Symantec Endpoint Protection service needs to be restarted. On a workstation, this can be achieved by restarting the computer.<\/span> [\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200016-1.png\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"usd20200016-1\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n As one can see, the access permissions on the hardlink get modified. One can verify that this change also effects the targeted file by viewing its permission:<\/span><\/p>\n [\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200016-5.png\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"usd20200016-5\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n Low privileged users now have write access to the targeted file. By using this attack on service executables or DLL files, it is easy for a local attacker to achieve an elevation of privileges.<\/span><\/p>\n <\/span><\/p>\n As the folder <\/span>C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\14.0.3752.1000.105\\Data\\IPS<\/em> does only contain files owned by high privileged user accounts, it is questionable if it needs to be writable by low privileged users. Denying write access on this directory could be one possible fix. Inspecting targeted files before performing privileged file operations on them can also be used to prevent the demonstrated attack.<\/span><\/p>\n
Advisory ID<\/strong>: usd-2020-0016<\/span>
CVE Number<\/strong>: CVE-2020-5836<\/span>
Affected Product<\/strong>: Symantec Endpoint Protection<\/span>
Affected Version<\/strong>: 14.2.2.1<\/span>
Vulnerability Type<\/strong>: Hardlink Vulnerability<\/span>
Security Risk<\/strong>: Critical<\/span>
Vendor URL<\/strong>: <\/span>https:\/\/www.broadcom.com\/<\/a>
Vendor Status<\/strong>: Fixed<\/span>
Vendor Advisory<\/strong>: <\/span>https:\/\/support.broadcom.com\/security-advisory\/content\/security-advisories\/Symantec-Endpoint-Protection-Security-Update\/SYMSA1762<\/a><\/p>\n<\/h3>\n
Description<\/h3>\n
Proof of Concept (PoC)<\/h3>\n
The following events can be captured after the restart:<\/span><\/p>\nFix<\/h3>\n
<\/h3>\n
References<\/h3>\n