CVE-2018-18368 SEP Manager EoP Exploit
# Summary
**Product Name**: Symantec Endpoint Protection Manager Version 14 (14 MP1) .2 build 1023 (14.2.1023.0100) - (older versions may also be affected)
**Impact**: **High**. A standard windows user (not an admin) can escalate to **NT SERVICE\semwebsrv** . With this user role he has access to many of the SEPM components and he can tamper jsp,php and probably jar files. Full takeover of SEPM seems possible.
Moreover, further escalation to SYSTEM is possible.
**Vulnerability Type**: DLL Preloading
**DLL**: dbicudtx16.dll
**Affected process**: php-cgi.exe
**Attack Vector**: local
# Description
When a user opens the SEPM and tries to login, the php-cgi.exe process is being executed as **NT SERVICE\semwebsrv** and tries to load the **dbicudtx16.dll** from different locations.
One of the directories it searches is **C:\bin32** directory . If the directory does not exist, any user can create it and put a malicious dbicudtx16.dll .
The dll will load the next time someone will try to login to the SEPM.
To stress that the directory C:\bin32 does not exist by default, and any user can create folders under C:\ .
# PoC
You can find a full detailed video on the following link:
https://youtu.be/e_hbJ9NdIcg
**Some time frames of the video:**
00:00 - 00:50 -> identification
00:51 - 02:27 -> attacker's privileges
02:28 - 03:05 -> the attack
03:06 - 03:50 -> triggering the escalation
03:51 - 09:23 -> providing some attack scenarios
[4.0K] /data/pocs/09560f5ff605a9a413e2cfe5b32966ca29d86d7d
├── [2.3K] disclosure.md
├── [4.0K] Exploit-Source
│ ├── [4.0K] SEPM-14_MP1.2
│ │ ├── [ 430] pch.cpp
│ │ ├── [1.2K] pch.h
│ │ ├── [1.1K] SEPM-14_MP1.2.cpp
│ │ ├── [8.5K] SEPM-14_MP1.2.vcxproj
│ │ ├── [1.2K] SEPM-14_MP1.2.vcxproj.filters
│ │ ├── [ 165] SEPM-14_MP1.2.vcxproj.user
│ │ └── [4.0K] x64
│ │ └── [4.0K] Release
│ │ ├── [1.4K] SEPM-14_MP1.2.Build.CppClean.log
│ │ └── [ 3] SEPM-14_MP1.2.log
│ └── [1.4K] SEPM-14_MP1 2.sln
└── [1.4K] README.md
4 directories, 11 files