Researchers discovered an issue with the pvmSvc.exe, a central control service, which was being executed as NT AUTHORITY/SYSTEM. Once executed, a missing DLL file was trying to load.
“In our VM, the c:\python27 has an ACL which allows any authenticated user to write files onto the ACL. This makes the privilege escalation simple and allows a regular user to write the missing DLL file and achieve code execution as NT AUTHORITY\SYSTEM,” wrote Peleg Hadar, a security researcher at SafeBreach Labs.
The vulnerability can provide attackers the ability to load and execute malicious payloads using a signed service, which could be abused by an attacker for various purposes such as Application Whitelisting Bypass.
Additionally the vulnerability could be used as a persistent attack mechanism, whereby once an attacker drops a malicious DLL in a vulnerable path, “the service will load the malicious code each time it is restarted.”
Most alarmingly, the vulnerability provides an attacker with the ability to operate as NT AUTHORITY/SYSTEM, the highest privilege, therefore every file and process on the computer can be accessed by the attacker.
Trend Micro released a security advisory informing users that an updated version of the password manager had been released, which resolved the DLL hijacking vulnerabilities. The patch is currently available to those who signed up for automatic updates, whilst others can manually update their software.
The anti-malware company stated that it had received no reports of any actual attacks against the affected products at this time.
Trend Micro wrote:
“Exploiting these types of vulnerabilities require that an attacker has access (physical or remote) to a vulnerable machine.
“Even though an exploit may require several specific conditions to be met, Trend Micro strongly encourages customers to upgrade to the latest build as soon as possible.”
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
