DATA Anti-Virus: Abusing OpenSSL to get local admin

Metadata
===================================================
Release Date: 05-Oct-2021
Author: Florian Bogner @ https://bee-itsecurity.at
Affected product:  G Data’s Security Client “EndpointProtection Enterprise”
Fixed in: all versions after 17.08.2021
Tested on: Windows 10 x64 fully patched
URL: https://bogner.sh/2021/10/g-data-anti-virus-abusing-openssl-to-get-local-admin/
Vulnerability Status: Fixed with new release

Product Description
===================================================
The most sensitive areas of your systems are your employees’ workstations. Where attachments are opened, passwords are entered, and sensitive data is processed. The servers that make connections across the entire network. And smartphones that come and go with your employees every day. This is precisely where our endpoint security solutions protect your company assets. [https://www.gdata-software.com/business/endpoint-security]

Vulnerability Description
===================================================
The underlying problem was, that the GdAgentSrv (which is running as SYSTEM) tried to load its OpenSSL configuration from the non-existing path C:\Jenkins\vcpkg-master\packages\openssl-windows_x86-141-static\openssl.cnf (newer versions load from C:\Jenkins\vcpkg-master\packages\openssl-windows_x86-static\openssl.cnf). This can be abused by any local user to load arbitrary libraries (DLLs) and execute untrusted code in the affected process. This leads to a privilege escalation from non-admin user to SYSTEM.

For more information please visit: https://bogner.sh/2021/10/g-data-anti-virus-abusing-openssl-to-get-local-admin/

Suggested Solution
===================================================
Users should update to the latest available version.

Disclosure Timeline
===================================================
10.10.2019: The issue has been identified, documented and reported (ticket number CAS-730826-F7K4R9). No reply received.
11.2020: The issue was communicated again to G Data’s Sales Team in Austria. After initial communication no further feedback.
06.2021: The issues was abused during a security check to overtake another client’s infrastructure.
14.06.2021: G DATA confirms the vulnerability. Public disclosure is planed for 15th September 2021
17.08.2021: Fixed version is released to the public
05.10.2021: Public disclosure

___________

Florian Bogner
Information Security Expert, Speaker

Bee IT Security Consulting GmbH
Nibelungenstraße 37
3123 A-Schweinern

Tel: +43 660 123 9 454
Mail: florian.bogner@bee-itsecurity.at
Web: https://www.bee-itsecurity.at