{"id":8329,"date":"2017-07-12T14:19:32","date_gmt":"2017-07-12T22:19:32","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/07\/12\/news-2103\/"},"modified":"2017-07-12T14:19:32","modified_gmt":"2017-07-12T22:19:32","slug":"news-2103","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/07\/12\/news-2103\/","title":{"rendered":"SSD Advisory \u2013 360 Total Security Privileged Escalation"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Wed, 12 Jul 2017 10:55:43 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3314\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3314');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes an Privileged Escalation vulnerability found in 360 Total Security.<\/p>\n<p>360 Total Security offers your PC complete protection from Viruses, Trojans and other emerging threats. <\/p>\n<p>Whether you are shopping online, downloading files or chatting with your friends you can be sure that 360 Total Security is there to keep you safe and your computer optimized. Clean-up utility is just one click away to keep your PC in optimal condition.<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor response<\/strong><br \/> The vendor has released patches to address this vulnerability and has only provided these details in response to our query on the status: \u201cWe will release this patch on 7\/7\u201d<\/p>\n<p><span id=\"more-3314\"><\/span><\/p>\n<p><strong>Vulnerability Details<\/strong><br \/> When 360 Total security is load on Windows machine the binaries try to load a DLL (Shcore.dll) in order to display correctly in High DPI displays.<\/p>\n<p>360 Total security install Shcore.dll on Windows 8.1 and above, but not in previous versions (for example &#8211; Windows 7 and XP). For this reason, the administration components of 360 Total Security try to find and load this DLL in Windows 7 too, where it does not exist. <\/p>\n<p>Placing a DLL named Shcore.dll in a directory listed in the PATH system variable will load this in the memory space of 360 software. Loading the DLL inside a 360 administration process gives us privileges of administrator.<\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<ul>\n<li>Install 360 Total Security and optionally update to the latest version<\/li>\n<li>Log into a Windows 7 and create a DLL planting environment<\/li>\n<\/ul>\n<ol>\n<li>The easiest way is to install Python for Windows<\/li>\n<li>\u201cAdd Python to the path\u201d in the installer (most common install option)<\/li>\n<\/ol>\n<ul>\n<li>Log in as a totally unprivileged user and copy the DLL renamed to Shcore.dll to C:Python27 (in case you used Python as the DLL planting vector)<\/li>\n<li>Now there are two options in order to trigger the vulnerability<\/li>\n<\/ul>\n<ol>\n<li>In case the administrator is not logged in, log in as administrator (fastest way)<\/li>\n<li>If the administrator is already logged in &#8211; it will take several minutes. The reason is, 360 launches periodically processes in the background. Any of them will trigger the vulnerability and execute the code. Test have shown this is a matter of minutes.<\/li>\n<\/ol>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/pf-button.gif\" alt=\"Print Friendly\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3314\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/pf-button.gif\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Wed, 12 Jul 2017 10:55:43 +0000<\/strong><\/p>\n<p>Vulnerability Summary The following advisory describes an Privileged Escalation vulnerability found in 360 Total Security. 360 Total Security offers your PC complete protection from Viruses, Trojans and other emerging threats. Whether you are shopping online, downloading files or chatting with your friends you can be sure that 360 Total Security is there to keep you &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3314\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 360 Total Security Privileged Escalation<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11946,10757],"class_list":["post-8329","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-privilege-escalation","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8329","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=8329"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8329\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=8329"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=8329"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=8329"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}