CVE-2023-7241 ‒ Local Privilege Escalation in Webroot Endpoint Protection
Description
Webroot Endpoint Protection is a security product that protects endpoints from malware and detects attacks.
The fixed vulnerability enabled attackers with existing access to a system to elevate their privileges to SYSTEM.
Vulnerability
The vulnerability abused a trust relationship between frontend processes running in the context of an unprivileged user and privileged backend processes running as SYSTEM.
It was possible to abuse COM hijacking to inject a DLL into the front-end process of Webroot Endpoint Protection.
More specifically, this was possible by hijacking the interface with the GUID {AF02484C-A0A9-4669-9051-058AB12B9195}.
The frontend process has a trust relationship with the backend processes of Webroot Endpoint Protection, which run as a SYSTEM.
One command that could be issued by the frontend allowed attackers to delete arbitrary files on the local system.
Using the DLL injected via COM hijacking, one could issue this command to delete a file.
We used tooling provided by ZDI to exploit the file deletion to gain SYSTEM privileges.
Mitigations
Install a current version of Webroot Endpoint Protection. This vulnerability was fixed in version 9.0.35.17.
Timeline
| Date | Action |
|---|---|
| 04.12.2023 | Vendor was contacted and informed about the vulnerability |
| 05.12.2023 | Initial response from vendor |
| 02.02.2024 | Vendor informs us that a fix is available for testing |
| 26.02.2024 | Confirmed to the Vendor that the exploit was no longer possible |
| 01.05.2024 | Vendor released Advisory |