Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Zillya Total Security 3.0.2367.0 - Local Privilege Escalation

🗓️ 30 Mar 2023 00:00:00Reported by M. Akil GündoğanType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 168 Views

Zillya Total Security Local Privilege Escalation affecting Windows 1

Code
# Exploit Title: Zillya Total Security 3.0.2367.0  - Local Privilege Escalation
# Date: 02.12.2022
# Author: M. Akil Gündoğan 
# Contact: https://twitter.com/akilgundogan
# Vendor Homepage: https://zillya.com/
# Software Link: (https://download.zillya.com/ZTS3.exe) / (https://download.zillya.com/ZIS3.exe)
# Version: IS (3.0.2367.0) / TS (3.0.2368.0)
# Tested on: Windows 10 Professional x64
# PoC Video: https://youtu.be/vRCZR1kd89Q

Vulnerabiliy Description: 
---------------------------------------
Zillya's processes run in SYSTEM privileges. The user with low privileges in the system can copy any file they want 
to any location by using the quarantine module in Zillya. This is an example of AVGater vulnerabilities that are often 
found in antivirus programs. 

You can read the article about AVGater vulnerabilities here: 
https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine/

The vulnerability affects both "Zillya Total Security" and "Zillya Internet Security" products.

Step by step produce:
---------------------------------------
1 - Attackers create new folder and into malicious file. It can be a DLL or any file. 

2 - Attacker waits for "Zillya Total Security" or "Zillya Internet Security" to quarantine him.

3 - The created folder is linked with the Google Symbolic Link Tools "Create Mount Point" tools to the folder that 
the current user does not have write permission to. 

You can find these tools here: https://github.com/googleprojectzero/symboliclink-testing-tools 

4 - Restores the quarantined file. When checked, it is seen that the file has been moved to an unauthorized location. 
This is evidence of escalation vulnerability. An attacker with an unauthorized user can write to directories that require 
authorization. Using techniques such as DLL hijacking, it can gain access to SYSTEM privileges.

Advisories:
---------------------------------------
Developers should not allow unauthorized users to restore from quarantine unless necessary. 

Also, it should be checked whether the target file has been copied to the original location. Unless necessary, users 
should not be able to interfere with processes running with SYSTEM privileges. All processes on the user's side should 
be run with normal privileges.

Disclosure Timeline:
---------------------------------------
13.11.2022 - Vulnerability reported via email but no response was given and the fix was not released.
02.12.2022 - Full disclosure.

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
30 Mar 2023 00:00Current
7.4High risk
Vulners AI Score7.4
zillya total securitylocal privilege escalationwindows 10antivirus vulnerabilitiesgoogle symbolic link toolsunauthorized accessfull disclosure
168