Researchers have uncovered a set of DLL vulnerabilities in Autodesk, Trend Micro and Kaspersky programs.
On Monday, SafeBreach Labs published three safety tips describing the bugs, which were privately reported to vendors prior to publication.
The first vulnerability, referred to as CVE-2019-15628, affects Trend Micro Maximum Security version 16.0.1221 and below. One of its components software, the Trend Micro Solution Platform service, coreServiceShell.exe, works as a NT AUTHORITY \ SYSTEM with high levels of authorization and was this executable by researchers.
Once the coreServiceShell.exe runs, a library - paCoreProductAdaptor.dll is loaded. However, a DLL was missing, the lack of secure DLL loading and the signed validation meant that the attackers could exploit this security hole by loading irrelevant DLLs.
The ability to load and execute arbitrary DLL files with high privileged signed software could lead to applications being bypassed, preventing it from being protected. cyberspace and possibly escalating benefits, the researchers say.
"Vulnerability enables attackers to continuously load and execute malicious payloads each time the service is loaded," SafeBreach Labs says. "This means that as soon as the attacker leaves a malicious DLL on a vulnerable path, the service will load malicious code every time it starts again. "
The second vulnerability revealed affects her Kaspersky Secure Connection, a virtual private network client (VPN) developed with Kaspersky Internet Security solutions to establish a secure connection to the vendor's servers.
Watch as CVE-2019-15689, this error can only be avoided if a hacker has already secured administrator permissions on software versions under 4.0.
The Kaspersky Secure Connection service also works as NT AUTHORITY \ SYSTEM and in the same way as the Trend Micro aforementioned problem, the Kaspersky Secure Connection 3.0.0 (KSDE) searches for missing DLLs, opening a path for abuse through uncontrolled search paths and without signature validation.
Possibly appropriate as part of a post-exploit chain, the vulnerability allows for arbitrary loading of a DLL signed by AO Kaspersky Lab and capable of running at high levels of permissions.
The latest vulnerability, CVE-2019-7365, was discovered on the Autodesk desktop. The desktop app - AdAppMgrSvc.exe - is related to Autodesk software from 2017 to date and operates with NT AUTHORITY \ SYSTEM. A missing DLL call from a companion library also allowed arbitrary DLL files to be loaded. In addition, there is no digital certificate validation, so unsigned DLLs can be executed.
"Once an attacker accesses a computer, it may have limited privileges that can restrict access to certain files and data," the researchers said. "Its service enables it to function as NT AUTHORITY \ SYSTEM, which is the most powerful user in Windows, so that it has access to almost every file and process that belongs to the user at computer"
The vulnerabilities were reported to Trend Micro, Kaspersky and Autodesk in July, with any security flaws being confirmed in the same month or August.
Update 15.49 GMT: A Trend Micro spokesman said: “Trend Micro has released an updated version code for these vulnerabilities that are currently available through the product's ActiveUpdate automatic function for all related products.
Trend Micro has asked for time beyond the usual 90 days policy and after resolving the issue has published a consultancy security on November 25. Kaspersky made the mistake and posted a security tip on 2 December. Autodesk has not yet given any advice. A Kaspersky spokesman told ZDNet:
“Kaspersky has fixed a security issue identified in Kaspersky Secure Connection that could potentially allow third parties to execute an arbitrary locally code. To exploit this error, an attacker must have royalties local administrator and its complete control computer.
This security issue was fixed by the 2020 E patch, which was delivered to users through Kaspersky's automatic update procedures. A restart is required to apply these updates. “