I would discuss a workaround in mind to prevent any DLL injection that might be used to execute on windows as part of a legitimate process. I tested this after reading the article of Peleg Hadar on the SafeBreach website. Peleg Hadar discovers a similar issue with multi Antivirus products which mean that issue might not related to antivirus vendor directly.
Symantec addressed this vulnerability as Medium level and advised to upgrade to the latest SEP version, and also they recommend to allow only trusted users to have local admin privilege. And I believe controlling trusted users is not effective and enough as they might become a target of attack especially after the PoC that is available on the website for how it is possible to hijack and evade system protection by using arbitrary Proxy DLL.
And as Symantec System Administrator, I recommend adding the completed paths in the ADC policy and block creating of the DLL files that belong to the wrong directory.
I tried to collect all DLL files that called by Symantec processes after the boot and here is the list (I will add more later on)
%windir%\System32\ftapihook32.dll
%windir%\System32\wow64log.dll
%windir%\SysWOW64\rpcss.dll
%windir%\SysWOW64\fsllib32.dll
%windir%\SysWOW64\wbem\wbemcomn.dll
%windir%\SysWOW64\wbem\DSPARSE.dll
And here are more list that belongs to legitimate executable files but in DLL extension! and with a wrong directory location as well
%windir%\SysWOW64\NTOSKRNL.EXE.DLL
%windir%\SysWOW64\csrss.exe.DLL
%windir%\SysWOW64\SppExtComObj.Exe.DLL
%windir%\SysWOW64\audiodg.exe.DLL
%windir%\SysWOW64\wbem\unsecapp.exe.DLL
%windir%\SysWOW64\winlogon.exe.DLL
%windir%\SysWOW64\wininit.exe.DLL
%windir%\SysWOW64\SecurityHealthService.exe.DLL
%windir%\SysWOW64\slui.exe.DLL
%windir%\SysWOW64\sppsvc.exe.DLL
%windir%\SysWOW64\services.exe.DLL
%windir%\SysWOW64\dwm.exe.DLL
%windir%\SysWOW64\smss.exe.DLL
%windir%\SysWOW64\spoolsv.exe.DLL
%windir%\SysWOW64\lsass.exe.DLL
%windir%\SysWOW64\LogonUI.exe.DLL
%windir%\SysWOW64\UsoClient.exe.DLL
%windir%\SysWOW64\conhost.exe.DLL
%windir%\SysWOW64\sihost.exe.DLL
%windir%\SysWOW64\taskhostw.exe.DLL
%windir%\SysWOW64\smartscreen.exe.DLL
%windir%\SysWOW64\RuntimeBroker.exe.DLL
%windir%\SysWOW64\consent.exe.DLL
%windir%\SysWOW64\MusNotification.exe.DLL
Screenshot from the test
So the workaround that can be made is by adding the above files in the ADC policy in SEPM and block the attempt to create these files in the wrong directory.
So, when the hacker will try to inject a bad DLL file using any of the above DLL file names, the SEP will prevent this attempt the machine will stay safe as the below screenshot :)
Please with any ADC policy, you have to test in a testing environment, and then pilot it with a small number of PC that runs the business application and then you will be ready to go for rollout.
Download the below pre-define policy and import it into your ADC. unzip it first, then copy the dat file to your SEPM server, and then from the ADC policy tab import this policy and paste the entry into your existing ADC policy.
http://mahouk.net/Downloads/CVE-2019-12758_ADC.zip
Remember, don't forget to test it before apply :)
Amir,
No comments:
Post a Comment