DCG Logo DCG Logo
  • About Us

    Where there's unique perspective, there's DGC. 
    Learn more

    • Service Philosophy
    • Team
    • News & Events
    • Community Involvement
  • Services
    • Private Client
    • Business Tax
    Assurance & Accounting
    • Accounting & Business Advisory Services
    • Audit, Review & Compilation
    • Employee Benefit Plan Audit
    • Overhead Rate Audit
    Business Advisory
    • Alternative Dispute Resolution
    • Bankruptcy & Restructuring
    • Forensic Accounting
    • Human Capital Consulting
    • IT Risk Assurance & Advisory
    • Litigation Support
    • Succession Planning
    • Technical Accounting Advisory
    • Transaction Advisory
    • Valuation
  • Industries

    Architecture & Engineering

    Healthcare

    Manufacturing & Distribution

    Not-for-Profit

    Professional Services

    Restaurant & Hospitality

    Real Estate

    Retail & Consumer

    Technology

  • Perspectives

    Articles & Podcasts

    Case Studies

    Newsletters

  • Careers

    DGC is looking for talented professionals to join our team.
    Learn more 

    Working Environment

    Life @ DGC

    Benefits

    Professional Development

    Student Resources

    View Open Positions

  • Contact Us

    Send a Message

    Office Locations & Directions

  • Client Portal
  • LinkedIn
  • Twitter
  • Facebook
  • About Us

    Where there's unique perspective, there's DGC. 
    Learn more

    • Service Philosophy
    • Team
    • News & Events
    • Community Involvement
  • Services
    • Private Client
    • Business Tax
    Assurance & Accounting
    • Accounting & Business Advisory Services
    • Audit, Review & Compilation
    • Employee Benefit Plan Audit
    • Overhead Rate Audit
    Business Advisory
    • Alternative Dispute Resolution
    • Bankruptcy & Restructuring
    • Forensic Accounting
    • Human Capital Consulting
    • IT Risk Assurance & Advisory
    • Litigation Support
    • Succession Planning
    • Technical Accounting Advisory
    • Transaction Advisory
    • Valuation
  • Industries

    Architecture & Engineering

    Healthcare

    Manufacturing & Distribution

    Not-for-Profit

    Professional Services

    Restaurant & Hospitality

    Real Estate

    Retail & Consumer

    Technology

  • Perspectives

    Articles & Podcasts

    Case Studies

    Newsletters

  • Careers

    DGC is looking for talented professionals to join our team.
    Learn more 

    Working Environment

    Life @ DGC

    Benefits

    Professional Development

    Student Resources

    View Open Positions

  • Contact Us

    Send a Message

    Office Locations & Directions

  • Client Portal
  • LinkedIn
  • Twitter
  • Facebook
DGC and PKF O'Connor Davies Join Forces

Effective January 1, 2022 DGC merged with PKF O’Connor Davies (PKFOD), the 27th largest accounting and advisory firm in the U.S. Click here for more information.

Perspectives

Categories

  • All
  • Articles & Podcasts
  • Case Studies
  • Newsletters
Popular Tags
  • COVID-1992,
  • Coronavirus89,
  • Cybersecurity47,
  • IT Risk Assurance and Advisory40,
  • Tax Reform40,
  • Business Tax36,
  • Private Client36,
  • Paycheck Protection Program32,
  • PPP Loans30,
  • Podcasts26,

DGC’s IT Risk Team Discovers Previously Unknown Vulnerability in Autodesk Software During Penetration Testing for Client

8/11/2021 Articles & Podcasts

During a recent client engagement, the DGC penetration testing team identified a previously unknown vulnerability affecting the Autodesk Licensing Service, a software component bundled with nearly all licensed Autodesk products. The vulnerability exists in a software component common to most Autodesk products and impacts nearly all organizations using licensed Autodesk software in any capacity. The Common Vulnerabilities and Exposures number is CVE-2021-27032, Autodesk Licensing Service: Local Privilege Escalation.

Because these software products are so widely deployed across the public and private sectors, vulnerabilities in Autodesk products pose a significant risk to many organizations, as Autodesk products are often used to generate and process intellectual property and other sensitive data. While a vulnerability in any one Autodesk product represents a risk to the organizations which happen to be using that specific piece of software, a vulnerability that affects nearly all Autodesk applications is considered a critical issue requiring immediate attention.

Autodesk is a global leader in 3D design and development software, and their products are ubiquitous across many industry verticals, including architecture, engineering, construction, design, and manufacturing. Organizations all over the world rely on Autodesk products, including AutoCAD, to aid in the design, development, and manufacturing of all kinds of products. Additionally, Autodesk software is widely deployed across the defense industrial base and critical infrastructure sectors.

Issue
The issue lies in the default permissions assigned to the Autodesk Licensing Service which runs as a locally privileged operating system account. The default privileges assigned to this service allow any authenticated user to modify the service configuration. This means that any low privileged user can abuse this vulnerable service configuration to execute code in the context of a highly privileged account, resulting in local privilege escalation. As a result, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This account requires local system access, meaning an attacker would first have to gain initial access to a system, prior to being able to escalate their privileges using this vulnerability.

Identification and Exploitation
Vulnerabilities related to insecure service configurations are nothing new in the world of information security, and as such, there are a number of offensive and defensive tools available to identify and exploit this class of vulnerabilities.

One of the best tools available is accesschk, which is part of the Windows SysInternals Suite. As well as being able to identify various types of service configuration weaknesses, this tool also provides additional benefits over some of the other offerings. These include the fact that this executable is signed by Microsoft, meaning it’s very unlikely to be flagged by antivirus vendors as potentially malicious, and may even bypass certain application whitelisting restrictions which require code to be signed by authorized developers in order to run on an endpoint. Better yet, this tool can be run “live” without ever requiring the executable itself to touch disk on a target system, thanks to the live versions of these tools available over the internet.

A command like the following can allow an attacker or penetration tester to mount and use the entire SysInternals suite of tools, without requiring any actual downloads:

net use Z: https://live.sysinternals.com

With the entire suite of tools available on the newly mounted “Z” drive, it is possible to enumerate all services and their permissions using the following command:

Z:\accesschk.exe -uwcqv *

Further, if we know what local groups our account is a member of, we can zoom in on those services granting permissions directly to our account or groups of which we are a member. For example, the following command can be used to identify services for which permissions have been assigned to the “Everyone” group:

Z:\accesschk.exe -uwcqv "Everyone" *

In the output of these commands, an attacker should look for any of the following privileges assigned to their user or a group of which they are a member. These permissions mean that the attacker can either directly modify the service configuration or grant themselves the necessary permissions to do so: SERVICE_CHANGE_CONFIG, SERVICE_ALL_ACCESS, GENERIC_WRITE, GENERIC_ALL, WRITE_DAC, and WRITE_OWNER.

Once a vulnerable service has been identified, all the attacker needs to do is modify the service configuration to point to a malicious executable of their choosing, for example, a reverse shell granting remote access to the system, or an executable designed to add a new local administrator account. When the service is stopped and restarted, the modified configuration will be executed, allowing the attacker to elevate privileges on the operating system.

Solution
DGC found and disclosed this vulnerability to the Autodesk Product Security Incident Response Team (PSIRT) immediately after discovering it during a penetration testing engagement. Because this vulnerability affected the entire Autodesk product suite, analysis and patching of the vulnerability took quite some time, but the PSIRT team was responsive and collaborative throughout the entire process. Autodesk has fixed this vulnerability in version 10.2.0.4231 of the affected service, and has provided a security advisory for their customers detailing the vulnerability and affected software versions.

If your organization leverages Autodesk products, patch immediately to mitigate the risk associated with this vulnerability before an attacker can exploit it to gain administrative privileges on systems where the affected software is installed!

If you have questions related to this vulnerability, or other steps you can take to assess and secure your environment, contact Scott Goodwin, OSCP, OSWP, CEH at 781-937-5722 / sgoodwin@dgccpa.com.

If you would like to get alerts and insights like this sent directly to your inbox, sign up here

Articles & Podcasts
    Autodesk, Cybersecurity, IT Risk Assurance and Advisory, Penetration Testing

About the Author

Scott Goodwin, OSCP, OSWP, CEH
Scott Goodwin, OSCP, OSWP, CEH Manager
More Articles by Scott
Author Profile

About the Author

Scott Goodwin, OSCP, OSWP, CEH
Scott Goodwin, OSCP, OSWP, CEH Manager
More Articles by Scott
Author Profile
How Your Organization Can Avoid Denial of Cyber Insurance Coverage 7/16/2021
Helping Defense Contractors Thrive: CMMC and DoD Cybersecurity Compliance 6/21/2021
Video Podcast: CMMC – True or False? 4/6/2021
Top 5 Penetration Testing Findings You Should Address to Keep Hackers at Bay 11/18/2020
Gauge Your Defenses Against Hackers - Penetration Testing Methodology and Testing Areas 11/5/2020
  • Home
  • About Us
  • Contact Us
  • Careers
  • Privacy
  • Disclaimer
  • Newsletter
  • LinkedIn
  • Twitter
  • Facebook
© 2022 DGC, a division of PKF O'Connor Davies.
All Rights Reserved.

Get alerts and insights
sent directly to your inbox.