smc.exe
--------------------------------------------------
From: "Sandeep Cheema" <51l3n7@live.in>
Sent: Friday, February 20, 2009 11:01 AM
To: <bugtraq@securityfocus.com>
Subject: Re: SEPKILL /im SMC.EXE /f
> Privilege Escalation attack
>
> POC:
>
--------------------------------------------------
From: "Sandeep Cheema" <51l3n7@live.in>
Sent: Thursday, February 19, 2009 12:50 PM
To: <bugtraq@securityfocus.com>
Subject: Re: SEPKILL /im SMC.EXE /f
> Please note the following. I have reported this to Symantec at
> https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&thread.id=25786&view=by_date_ascending&page=2
>
>
goto :here
Its mainly bruteforcing the icon not to appear in the taskbar but doing more
than that. The communication with the manager is lost(Though with smc.exe
running under system account) and NTP is over and out from the SEP client
console while this is running.
--------------------------------------------------
From: "David Calabro" <dcalabro@transitionalwork.org>
Sent: Saturday, February 14, 2009 1:02 AM
To: "'Sandeep Cheema'" <51l3n7@live.in>; <bugtraq@securityfocus.com>
Subject: RE: SEPKILL /im SMC.EXE /f
> If the Symantec Management Client service was somehow changed from
> "smc.exe" to "smc.exe -P" it would effectively prevent the service from
> starting in the first place. Correct?
>
If the Symantec Management Client service was somehow changed from "smc.exe" to "smc.exe -P" it would effectively prevent the service from starting in the first place. Correct?
-----Original Message-----
From: Sandeep Cheema [mailto:51l3n7@live.in]
Sent: Friday, February 13, 2009 12:25 PM
To: bugtraq@securityfocus.com
Subject: Re: SEPKILL /im SMC.EXE /f
Just as an update couldn't get any further other than t.he fact that
SMCGui.exe is getting killed as its running in the user account and SMC.exe
Just as an update couldn't get any further other than t.he fact that
SMCGui.exe is getting killed as its running in the user account and SMC.exe
in the system account.
Thank you.
Regards, Sandeep
--------------------------------------------------
From: "Sandeep Cheema" <51l3n7@live.in>
>
> Are you saying this is supposed to affect 11.0.4000.x? If so, what
> sub-sub-minor versions did you test it on?
>
> I just tested this on 11.0.4000.2295 (on a managed client) and all it
> did was crash the smc.exe process started by the command you supplied,
> not smcgui.exe process. I tested as an administrator and an unprivileged
> user and got the same results - smc.exe crashes, but not the smcgui.exe
> process.
>
> It would be interesting if you could provide more information, since if
Are you saying this is supposed to affect 11.0.4000.x? If so, what
sub-sub-minor versions did you test it on?
I just tested this on 11.0.4000.2295 (on a managed client) and all it
did was crash the smc.exe process started by the command you supplied,
not smcgui.exe process. I tested as an administrator and an unprivileged
user and got the same results - smc.exe crashes, but not the smcgui.exe
process.
It would be interesting if you could provide more information, since if
--------------------------------------------------
From: "Sandeep Cheema" <51l3n7@live.in>
Sent: Friday, February 13, 2009 7:03 PM
To: <bugtraq@securityfocus.com>
Subject: Re: SEPKILL /im SMC.EXE /f
> As an update its not happening for "Users" account, Though no access
> denied.
>
> Anyone knows why?
--------------------------------------------------
From: "Sandeep Cheema" <51l3n7@live.in>
Sent: Friday, February 13, 2009 6:18 PM
To: <bugtraq@securityfocus.com>
Subject: SEPKILL /im SMC.EXE /f
> Hi,
>
> Probably this bug exists on majorly all the software's but security
> software's like antivirus and firewall have to bucket it which is not what
its for SEP.
I have tested it on all versions of SEP from 11.0.776 to 11.0.4000(XP and
2k3)
You can kill smc.exe with the help of drwtsn32.exe in the following way.
drwtsn32 -p %pid%
where pid is the process id for smc.exe
POC:
For what is is worth...
I'm running MR4 version (11.0.4000.2295) and executing the command under a non-privileged account does throw a dialog box with the error message. It also puts an event in the application event log to the effect of "Faulting application smc.exe, version 11.0.4000.2261, faulting module msvcr80.dll, version 8.0.50727.1433, fault address 0x000079f", but watchng task manager SMC.EXE running under the SYSTEM user and SMCGUI.EXE running under the same non-privileged account never dies. I do see an additional SMC.EXE process startup under the non-privileged user, but it is the process failing. I also tried this running the command with an admin account with the same results.
Hi,
There is a bug with the "Symantec Endpoint Protection"( Tested on all
versions till 11.0.4000)
When you execute the following command "smc.exe -p ~ " the smcgui.exe
crashes. You don't need admin privilege for this.
Regards, Sandeep
51l3n7[at]live.in
Symantec has reviewed the issue that was reported with smc.exe crashing from the command line. We have confirmed that an improperly formatted command line can cause the user mode process to crash. However, the privileged service process is unaffected. The client machine maintained full protection. Symantec will supply an update to prevent the command line tool from crashing in a future release.
Confirmed on XP and Vista. Error message "Symantec CMC Smc has stopped
working" or "encountered a problem and needs to close"
Works with "smc.exe -p (anything)" as long as you don't pass a command
after the password. -p is the password switch.
|
