漏洞平台

POC详情： 09560f5ff605a9a413e2cfe5b32966ca29d86d7d

来源

https://github.com/DimopoulosElias/SEPM-EoP

关联漏洞

标题： Symantec Endpoint Protection Manager 安全漏洞 (CVE-2018-18368)
描述：Symantec Endpoint Protection Manager（SEPM）是美国赛门铁克（Symantec）公司的一套企业级病毒防护软件。该软件可防范恶意攻击，如病毒、蠕虫、特洛伊木马等。 Symantec SEPM 14.2 RU1之前版本中存在安全漏洞。攻击者可利用该漏洞提升权限。

描述

CVE-2018-18368 SEP Manager EoP Exploit

介绍


# Summary

**Product Name**: Symantec Endpoint Protection Manager Version 14 (14 MP1) .2 build 1023 (14.2.1023.0100) - (older versions may also be affected)

**Impact**:  **High**. A standard windows user (not an admin) can escalate to  **NT SERVICE\semwebsrv**  . With this user role he has access to many of the SEPM components and he can tamper jsp,php and probably jar files. Full takeover of SEPM seems possible.
Moreover, further escalation to SYSTEM is possible. 

**Vulnerability Type**: DLL Preloading

**DLL**: dbicudtx16.dll

**Affected process**: php-cgi.exe

**Attack Vector**: local

# Description

When a user opens the SEPM and tries to login, the php-cgi.exe process is being executed as **NT SERVICE\semwebsrv** and tries to load the **dbicudtx16.dll** from different locations.

One of the directories it searches is  **C:\bin32**  directory . If the directory does not exist, any user can create it and put a malicious dbicudtx16.dll .

The dll will load the next time someone will try to login to the SEPM.

To stress that the directory C:\bin32 does not exist by default, and any user can create folders under C:\ .

# PoC

You can find a full detailed video on the following link:

https://youtu.be/e_hbJ9NdIcg 



**Some time frames of the video:**

00:00 - 00:50 -> identification

00:51 - 02:27 -> attacker's privileges

02:28 - 03:05 -> the attack

03:06 - 03:50 -> triggering the escalation

03:51 - 09:23 -> providing some attack scenarios

文件快照


 [4.0K]  /data/pocs/09560f5ff605a9a413e2cfe5b32966ca29d86d7d
├── [2.3K]  disclosure.md
├── [4.0K]  Exploit-Source
│   ├── [4.0K]  SEPM-14_MP1.2
│   │   ├── [ 430]  pch.cpp
│   │   ├── [1.2K]  pch.h
│   │   ├── [1.1K]  SEPM-14_MP1.2.cpp
│   │   ├── [8.5K]  SEPM-14_MP1.2.vcxproj
│   │   ├── [1.2K]  SEPM-14_MP1.2.vcxproj.filters
│   │   ├── [ 165]  SEPM-14_MP1.2.vcxproj.user
│   │   └── [4.0K]  x64
│   │       └── [4.0K]  Release
│   │           ├── [1.4K]  SEPM-14_MP1.2.Build.CppClean.log
│   │           └── [   3]  SEPM-14_MP1.2.log
│   └── [1.4K]  SEPM-14_MP1 2.sln
└── [1.4K]  README.md

4 directories, 11 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。