DATA Anti-Virus: Abusing OpenSSL to get local admin Metadata =================================================== Release Date: 05-Oct-2021 Author: Florian Bogner @ https://bee-itsecurity.at Affected product: G Data’s Security Client “EndpointProtection Enterprise” Fixed in: all versions after 17.08.2021 Tested on: Windows 10 x64 fully patched URL: https://bogner.sh/2021/10/g-data-anti-virus-abusing-openssl-to-get-local-admin/ Vulnerability Status: Fixed with new release Product Description =================================================== The most sensitive areas of your systems are your employees’ workstations. Where attachments are opened, passwords are entered, and sensitive data is processed. The servers that make connections across the entire network. And smartphones that come and go with your employees every day. This is precisely where our endpoint security solutions protect your company assets. [https://www.gdata-software.com/business/endpoint-security] Vulnerability Description =================================================== The underlying problem was, that the GdAgentSrv (which is running as SYSTEM) tried to load its OpenSSL configuration from the non-existing path C:\Jenkins\vcpkg-master\packages\openssl-windows_x86-141-static\openssl.cnf (newer versions load from C:\Jenkins\vcpkg-master\packages\openssl-windows_x86-static\openssl.cnf). This can be abused by any local user to load arbitrary libraries (DLLs) and execute untrusted code in the affected process. This leads to a privilege escalation from non-admin user to SYSTEM. For more information please visit: https://bogner.sh/2021/10/g-data-anti-virus-abusing-openssl-to-get-local-admin/ Suggested Solution =================================================== Users should update to the latest available version. Disclosure Timeline =================================================== 10.10.2019: The issue has been identified, documented and reported (ticket number CAS-730826-F7K4R9). No reply received. 11.2020: The issue was communicated again to G Data’s Sales Team in Austria. After initial communication no further feedback. 06.2021: The issues was abused during a security check to overtake another client’s infrastructure. 14.06.2021: G DATA confirms the vulnerability. Public disclosure is planed for 15th September 2021 17.08.2021: Fixed version is released to the public 05.10.2021: Public disclosure ___________ Florian Bogner Information Security Expert, Speaker Bee IT Security Consulting GmbH Nibelungenstraße 37 3123 A-Schweinern Tel: +43 660 123 9 454 Mail: florian.bogner@bee-itsecurity.at Web: https://www.bee-itsecurity.at