Symantec Endpoint Protection un-installation password bypass

2013.09.05
Credit: Aaron Lewis
Risk: High
Local: Yes
Remote: No
CWE: N/A

Description: --------------------------------------------- A weakness has been revealed on SEP installation that allows user to uninstall this product without previous knowledge of the un-installation password. Affected version: 12.1.2015.2015 Affected OS: Windows XP Details: --------------------------------------------- The MSI module would first try to retrieve password from registry, which is: HKLM\\SOFTWARE\\Symantec\\Symantec Endpoint Protection\\SMC\\SmcInstData If the operation succeeds, SEP would inquiry about the un-installation password. However, the operation may fail under two circumstances, 1) the key doesn't exist 2) the process doesn't have the permission to read the key On Windows XP, the registry hook implementation of Symantec Endpoint Protection was incomplete. Albeit it forbids you from removing the SMC keys, but alternating the permission on SMC keys still works. In order to bypass the mechanism, the end user need to revoke all read permission on SMC keys manually, which is: HKLM\\SOFTWARE\\Symantec\\Symantec Endpoint Protection\\SMC P.S: Administrator privilege is still required to remove this product! P.P.S: Legal acknowledgement: This vulnerability has already been reported this to Symantec Threat Response team, which is ignored. -- Best Regards, Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com ) Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E

References:

http://seclists.org/fulldisclosure/2013/Sep/27


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top