Since many of the exploitation techniques that we come across rely on memory corruption, we thought that demonstrating exploitation of this type of flaw would be interesting and informative. They also allow the attacker to execute code in the context of the built-in SYSTEM user account, without requiring a reboot. These vulnerabilities allow an attacker to attain arbitrary hard disk read and write access at sector level, and subsequently infect the target and gain low level persistence (MBR/VBR). In this article we discuss various approaches to exploiting a vulnerability in a kernel driver, PGPwded.sys, which is part of Symantec Encryption Desktop. For more information, see the following SYMC Advisory:
#Symantec encryption desktop disk Patch
While there is no plan to produce a patch for Symantec Encryption Desktop, the Symantec Security and Development teams have recommendations to mitigate the risks involved. Symantec has produced a patch for Symantec Endpoint Encryption as of version 11.3.0 but not for Symantec Encryption Desktop.
This vulnerability affected both Symantec Endpoint Encryption and Symantec Encryption Desktop. We will continue to work with Symantec to help them to produce an effective patch. Consequently, we are at the point of publishing the findings publicly. We have been working with Symantec to try and help them to fix this since our initial private disclosure in July 2017 (full timeline at the end of this article), however no patch has yet been released. Note: These vulnerabilities remain unpatched at the point of publication.
0 kommentar(er)
