Moreover, the installation uses the C:\TEMP folder, which the user fully controls and thus further attacks with symlinks seem to be possible. By altering the command line, the attacker can execute any chosen file. The attacker controls the file vpremote.dat which is used in order to provide the command line for the execution of the setup. The attacker escalates privileges, not in the machine which has the SEPM installed, but in the machine which we are going to remotely push (install) the SEP in.
The exploitation can take place the moment where a remote installation of the SEP is happening. The exploitation of this EoP, gives the ability to a low privileged user to execute any file as SYSTEM. The latest version we tested is SEPM Version 14 (14.2 RU2 MP1) build 5569 (.2100). Known to Neurosoft’s RedyOps Labs since: Īn Elevation of Privilege (EoP) exists in SEPM 14.2 RU2 MP1. Assigned CVE: CVE-2020-5835 has been assigned and RedyOps Labs has been publicly acknowledged by the vendor.
0 kommentar(er)
