OpenEDR Privilege Escalation Vulnerability via Self-Defense Bypass

A local privilege escalation vulnerability has been identified in OpenEDR versions through 2.5.1.0. This vulnerability allows an attacker to bypass the application's self-defense mechanism by renaming a malicious executable to match the name of a trusted process. Once the executable is recognized as trusted, the attacker can interact with the OpenEDR kernel driver, accessing privileged functions such as configuration changes, process monitoring, and IOCTL communication, which are normally restricted to trusted components. While this vulnerability does not directly grant SYSTEM privileges, it undermines OpenEDR's trust model, enabling further exploitation that could lead to full local privilege escalation.

Impact

Exploitation of this vulnerability breaks OpenEDR's trust model, allowing unauthorized access to privileged functionalities of the OpenEDR kernel driver. This access can be exploited to escalate privileges to local administrator on the affected system.

Reproduction

To reproduce this vulnerability, rename a malicious executable to match the name of a trusted process, such as csrss.exe, edrsvc.exe, or edrcon.exe. Once renamed, execute the file. The OpenEDR driver will load a monitoring DLL into the process, which can be used to interact with the OpenEDR kernel driver and access privileged functionalities.