August 21st, 2019
Security Researcher, SafeBreach Labs
SafeBreach Labs discovered a new vulnerability in BitDefender Antivirus Free 2020 software.
In this post, we will demonstrate how this vulnerability could be used in order to achieve privilege escalation and persistence by loading an arbitrary unsigned DLL into multiple services that runs as NT AUTHORITY\SYSTEM.
This is the latest version of the free version of BitDefender’s Antivirus software.
Some parts of the software run as:
In this post, we describe the vulnerability we found in the BitDefender Antivirus Free 2020.
We then demonstrate how this vulnerability can be exploited to achieve privilege escalation, gaining access with NT AUTHORITY\SYSTEM level privileges.
In our initial exploration of the software, we targeted the following BitDefender services:
because of the following reasons:
In our exploration, we found that these services were started as signed processes and executed as NT AUTHORITY\SYSTEM.
Once executed, we noticed an interesting behavior:
As you can see, the services were trying to load a missing DLL file from different directories within the PATH environment variable.
Stay with us, we will analyze the root cause for trying to load the missing DLL file in the next section of the article.
In our VM, Python 2.7 is installed. The c:\python27 has an ACL which allows any authenticated user to write files onto the ACL. This makes privilege escalation simple, allowing a regular user to write the missing DLL file and achieve code execution as NT AUTHORITY\SYSTEM.
It is important to note that an administrative user or process must (1) set the directory ACLs to allow access to non-admin user accounts, and (2) modify the system’s PATH variable to include that directory. This can be done by different applications.
In order to test this privilege escalation vulnerability, we compiled an unsigned DLL which writes the following to the filename of a txt file once the DLL is loaded:
We were able to load an arbitrary DLL as a regular user and execute our code within multiple processes which are signed by BitDefender as NT AUTHORITY\SYSTEM.
Once the “BitDefender Update Service” (updatesrv.exe) and the “BitDefender Security Service” (vsserv.exe) are started, it loads the ServiceInstance.dll library.
The ServiceInstance.dll library tries to load the “RestartWatchDog.dll” library by calling LoadLibraryW.
There are two root causes for this vulnerability:
Below we show three possible ways that an attacker can leverage the CVE-2019-15295 vulnerability we discovered and documented above.
The vulnerability gives attackers the ability to load and execute malicious payloads using a signed service. This ability might be abused by an attacker, for example to achieve Application Whitelisting Bypass for purposes such as execution and evasion.
The vulnerability gives attackers the ability to load and execute malicious payloads in a persistent way, each time the service is loaded. That means that once the attacker drops a malicious DLL in a vulnerable path, the service will load the malicious code each time it is restarted.
After an attacker gains access to a computer, he might have limited privileges which can limit access to certain files and data. The service provides him with the ability to operate as NT AUTHORITY\SYSTEM which is the most powerful user in Windows, so he can access almost every file and process which belongs to the user on the computer.
BitDefender Antivirus Free 2020
July 17th, 2019 - Vulnerability Reported
July 17th, 2019 - Initial Response from BitDefender
Aug 14th, 2019 - BitDefender has confirmed the vulnerability
Aug 19th, 2019 - BitDefender has published an advisory and issued CVE-2019-15295