Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Exploit Available for Symantec End Point Protection - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Exploit Available for Symantec End Point Protection

An exploit is now available at exploit-db.com for the Symantec End Point Protection privilege escalation vulnerability. Symantec released a patch for this issue earlier this week [1].

The vulnerability requires normal-user access to the affected system and can be used to escalate privileges to fully control the system (instead of being limited to a particular user) so this will make a great follow up exploit to a standard drive-by exploit that gains user privileges.

We have gotten some reports that users have problems installing the patch on legacy systems (e.g. Windows 2003). Applying the patch just fails in these cases and appears to have no ill effect on system stability.

[1] http://www.symantec.com/business/support/index?page=content&id=TECH223338

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022

 Johannes

4473 Posts
ISC Handler
Aug 6th 2014
Thread locked Subscribe Aug 6th 2014
7 years ago
I believe you mean, "An exploit is now available..."
 Dan

9 Posts
Quote Aug 6th 2014
7 years ago
Could you please share the link to exploitDB? Not sure if Symantec is aware of it.
 Dan
2 Posts
Quote Aug 7th 2014
7 years ago
Hi,

This is not an issue with Symantec installer. This is happening because of outdated Verisign root and code signing certificates on Windows XP and Windows server 2003. You can follow below KB to get it resolved. It is tested OK.

http://www.symantec.com/business/support/index?page=content&id=TECH218029
 Darshan

4 Posts
Quote Aug 7th 2014
7 years ago
Install failure on Windows 2003 is not an issue with the update at all. You need to check your root certificates. We have updated a couple of servers successfully.
Refer to this knowledge base article and all will be well.
http://www.symantec.com/business/support/index?page=content&id=TECH218029
 Michael

32 Posts
Quote Aug 8th 2014
7 years ago
I've seen it in a few places but here is one:

http://packetstormsecurity.com/files/127772/Symantec-Endpoint-Protection-11.x-12.x-Kernel-Pool-Overflow.html
 SnwBrdRaw

2 Posts
Quote Aug 8th 2014
7 years ago

Sign Up for Free or Log In to start participating in the conversation!