SafeBreach Labs has discovered a third local privilege escalation vulnerability, this time for Check Point’s Endpoint Security Initial Client software for Windows.
The flaw was reported to Check Point on 1 August, and patched with the release of Endpoint Security Initial Client for Windows version E81.30 yesterday.
The security flaw tracked as CVE-2019-8790 makes it possible for threat actors to run malicious payloads using system-level privileges, and slip through the anti-malware nets.
Peleg Hadar, a researcher from SafeBreach, said in his initial exploration of the software, his organisation targeted the “Check Point Endpoint Agent” (CPDA.exe), and “Check Point Device Auxiliary Framework” (IDAFServerHostService.exe).
He did this for several reasons. Firstly, it runs as NT AUTHORITY\SYSTEM - the most privileged user account. This kind of service might be exposed to a user-to-SYSTEM privilege escalation, which could be extremely useful for any bad actor.
In addition, the executable of the service is signed by Check Point and, if an attacker finds a way to execute code within this process, it can be used to bypass application whitelisting, a technique widely used to prevent the execution of apps that might be malicious, or are unknown.
Finally the service automatically starts once the PC boots up, meaning that it’s a potential target for a hacker to be used as a persistence mechanism. Persistence mechanisms ensure that objects are saved in a permanent memory device, and that they are loaded from there when necessary.
In SafeBreach’s exploration, Hadar found that once the Check Point Device Auxiliary Framework Service was started, the IDAFServerHostService.exe signed process was executed as NT AUTHORITY\SYSTEM.
“Once executed, the service tries to load the atl110.dll library, and the service attempted to load a missing DLL file from different directories within the PATH environment variable.”
He says it is important to know that firstly, an administrative user or process must set the directory ACLs to allow access to non-admin user accounts, and also, modify the system’s PATH variable to include that directory. “This can be done by different applications.”
This type of vulnerability is a favourite with threat actors. It is often used during the later stage of their attacks, once the target machine has been infiltrated and they need to elevate permissions to establish persistence and further compromise the targeted computer.
Share