Cybersecurity researchers from SafeBreach revealed three vulnerabilities affecting Autodesk, Trend Micro and Kaspersky software. The problem stems from a bug in loading DLLs used by these programs.
The Trend Micro vulnerability, CVE-2019-15628, affects the 16.0.1221 and earlier versions of Trend Micro Maximum Security. One of the software components, the Trend Micro Solution Platform service, coreServiceShell.exe, runs as NT AUTHORITY\SYSTEM with high permission levels. It is this executable that the researchers have targeted.
Once coreServiceShell.exe is run, a library called "paCoreProductAdaptor.dll" is loaded. However, loading a missing DLL, failing to verify secure DLLs, and signed validation meant that attackers could exploit this security vulnerability to load unsigned DLLs.
Being able to load and execute arbitrary DLLs with signed software with elevated privileges can lead to bypassing the application whitelist, bypassing cybersecurity safeguards, persisting (while running the software at startup), and potentially elevated privileges, the researchers say.
This vulnerability gives attackers the ability to persistently load and execute malicious code every time the service is loaded, SafeBreach Labs says : "This means that once the attacker drops a malicious DLL in a vulnerable path, the service will load the malicious code every time it is restarted."
DLLS AT THE HEART OF THE FAULTS
The Kaspersky vulnerability concerns simultaneously Kaspersky Secure Connection, a Virtual Private Network (VPN) client deployed with Kaspersky Internet Security's solutions to create a secure connection with the provider's servers.
Tracking as CVE-2019-15689, this bug can only be abused if an attacker has already obtained administrator privileges on software versions prior to 4.0.
Kaspersky Secure Connection also runs under NT AUTHORITY\SYSTEM and, in the same way as Trend Micro mentioned above, the Kaspersky Secure Connection 3.0.0 (KSDE) service looks for missing DLLs, opening the way for abuse via uncontrolled search and without validation of signatures.
This vulnerability, potentially usable as part of a post-exploitation chain, allows the arbitrary loading of DLLs, signed by AO Kaspersky Lab and able to run with high authorization levels.
The Autodesk vulnerability, CVE-2019-7365, was discovered in the Autodesk desktop application. The desktop application AdAppMgrSvc.exe is used by Autodesk software in its versions from 2017 to the present and works with NT AUTHORITY\SYSTEM. A missing DLL call made by an associated library also allowed the loading of potentially malicious DLLs. In addition, there is no digital certificate validation and unsigned DLLs can be executed.
After successfully accessing a computer, an attacker could have limited privileges, limiting access to certain files and data, the researchers said : "This service gives him the ability to run under NT AUTHORITY\SYSTEM, which is the most powerful Windows user, so he can access almost any file and process belonging to the user of the computer."
The vulnerabilities were reported to Trend Micro, Kaspersky, and Autodesk in July, with each security vulnerability confirmed in the same month or August. A Trend Micro spokesperson told us: "Trend Micro has released a patch for these vulnerabilities, currently available through the product's Automatic ActiveUpdate feature, for all affected products. Regular automatic updates should have already received this update. "