CVE-2018-5349 in Heimdal Pro
Summary
by MITRE
A vulnerability has been found in Heimdal PRO v2.2.190, but it is most likely also present in Heimdal FREE and Heimdal CORP. Faulty permissions on the directory "C:\ProgramData\Heimdal Security\Heimdal Agent" allow BUILTIN\Users to write new files to the directory. On startup, the process Heimdal.MonitorServices.exe running as SYSTEM will attempt to load version.dll from this directory. Placing a malicious version.dll in this directory will result in privilege escalation. NOTE: any affected Heimdal products are completely unrelated to the Heimdal vendor of a Kerberos 5 product on the h5l.org web site.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/15/2020
CVE-2018-5349 represents a critical privilege escalation vulnerability affecting Heimdal PRO, FREE, and CORP security products. This vulnerability stems from improper directory permissions that allow the BUILTIN\Users group to write files to the C:\ProgramData\Heimdal Security\Heimdal Agent directory. The flaw exists in the software's design where the installation directory lacks appropriate access controls, creating a persistent security weakness that can be exploited by local attackers. The vulnerability is categorized under CWE-276, which specifically addresses improper file permissions and inadequate access control mechanisms. The attack vector leverages the principle of least privilege violation, where a low-privilege user can manipulate system components that should only be accessible to administrators or system processes.
The technical exploitation occurs through a carefully crafted attack chain that begins with the unauthorized write access to the vulnerable directory. When the Heimdal.MonitorServices.exe process starts, it executes with SYSTEM privileges and attempts to load a file named version.dll from the compromised directory. This loading behavior creates a classic DLL hijacking scenario where an attacker can place a malicious version.dll file in the directory, which will then be executed with elevated privileges. The process executes as SYSTEM, meaning any code loaded through this mechanism will run with the highest available privileges on the system. This vulnerability directly maps to ATT&CK technique T1068, which covers privilege escalation through the exploitation of system-level processes and their loading mechanisms.
The operational impact of this vulnerability is severe as it enables local attackers to achieve privilege escalation without requiring any special privileges or complex attack vectors. Once an attacker gains write access to the directory, they can simply place a malicious DLL that executes arbitrary code with SYSTEM privileges, effectively providing complete system compromise. The vulnerability affects multiple product lines from the same vendor, indicating a systemic design flaw that was not properly addressed across the software portfolio. This makes the attack surface significantly larger as organizations using any of these Heimdal products are potentially vulnerable, regardless of their specific product version. The attack requires minimal technical expertise and can be executed through simple file placement, making it particularly dangerous in environments where user access controls are not properly enforced.
Organizations should immediately implement mitigations including restricting write permissions on the vulnerable directory to prevent unauthorized file placement. The recommended approach involves modifying the directory permissions to ensure only authorized system processes and administrators can write to C:\ProgramData\Heimdal Security\Heimdal Agent. Additionally, implementing application whitelisting policies can prevent execution of unauthorized DLL files. System administrators should also consider disabling unnecessary services and ensuring that only trusted applications can write to system directories. The vulnerability highlights the importance of proper access control implementation and the principle of least privilege in security design. Organizations should conduct comprehensive security audits of their installed software to identify similar permission issues and ensure that all system directories have appropriate access controls. This vulnerability serves as a reminder of the critical importance of secure software development practices and proper permission management in preventing privilege escalation attacks.