Local Privilege Escalation in G Data’s Security Client “EndpointProtection Enterprise” prior to 17.08.2021

[Florian Bogner via Fulldisclosure <fulldisclosure () seclists org>]

DATA Anti-Virus: Abusing OpenSSL to get local admin

Metadata
===================================================
Release Date: 05-Oct-2021
Author: Florian Bogner @ https://bee-itsecurity.at
Affected product:  G Data’s Security Client “EndpointProtection Enterprise”
Fixed in: all versions after 17.08.2021
Tested on: Windows 10 x64 fully patched
URL: https://bogner.sh/2021/10/g-data-anti-virus-abusing-openssl-to-get-local-admin/
Vulnerability Status: Fixed with new release

Product Description
===================================================
The most sensitive areas of your systems are your employees’ workstations. Where attachments are opened, passwords are 
entered, and sensitive data is processed. The servers that make connections across the entire network. And smartphones 
that come and go with your employees every day. This is precisely where our endpoint security solutions protect your 
company assets. [https://www.gdata-software.com/business/endpoint-security]

Vulnerability Description
===================================================
The underlying problem was, that the GdAgentSrv (which is running as SYSTEM) tried to load its OpenSSL configuration 
from the non-existing path C:\Jenkins\vcpkg-master\packages\openssl-windows_x86-141-static\openssl.cnf (newer versions 
load from C:\Jenkins\vcpkg-master\packages\openssl-windows_x86-static\openssl.cnf). This can be abused by any local 
user to load arbitrary libraries (DLLs) and execute untrusted code in the affected process. This leads to a privilege 
escalation from non-admin user to SYSTEM.

For more information please visit: https://bogner.sh/2021/10/g-data-anti-virus-abusing-openssl-to-get-local-admin/

Suggested Solution
===================================================
Users should update to the latest available version.

Disclosure Timeline
===================================================
10.10.2019: The issue has been identified, documented and reported (ticket number CAS-730826-F7K4R9). No reply received.
11.2020: The issue was communicated again to G Data’s Sales Team in Austria. After initial communication no further 
feedback.
06.2021: The issues was abused during a security check to overtake another client’s infrastructure.
14.06.2021: G DATA confirms the vulnerability. Public disclosure is planed for 15th September 2021
17.08.2021: Fixed version is released to the public
05.10.2021: Public disclosure

___________

Florian Bogner
Information Security Expert, Speaker

Bee IT Security Consulting GmbH
Nibelungenstraße 37
3123 A-Schweinern

Tel: +43 660 123 9 454
Mail: florian.bogner () bee-itsecurity at
Web: https://www.bee-itsecurity.at
 
 


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/