360 Total Security - Local Privilege Escalation

## Vulnerability Summary
The following advisory describes an Privileged Escalation vulnerability found in 360 Total Security.

360 Total Security offers your PC complete protection from Viruses, Trojans and other emerging threats.

Whether you are shopping online, downloading files or chatting with your friends you can be sure that 360 Total Security is there to keep you safe and your computer optimized. Clean-up utility is just one click away to keep your PC in optimal condition.

## Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

## Vendor response
The vendor has released patches to address this vulnerability and has only provided these details in response to our query on the status: “We will release this patch on 7/7”

CVE: CVE-2017-12653

## Vulnerability Details
When 360 Total security is load on Windows machine the binaries try to load a DLL (Shcore.dll) in order to display correctly in High DPI displays.

360 Total security install Shcore.dll on Windows 8.1 and above, but not in previous versions (for example – Windows 7 and XP). For this reason, the administration components of 360 Total Security try to find and load this DLL in Windows 7 too, where it does not exist.

Placing a DLL named Shcore.dll in a directory listed in the PATH system variable will load this in the memory space of 360 software. Loading the DLL inside a 360 administration process gives us privileges of administrator.

## Proof of Concept

Install 360 Total Security and optionally update to the latest version
Log into a Windows 7 and create a DLL planting environment
The easiest way is to install Python for Windows
“Add Python to the path” in the installer (most common install option)
Log in as a totally unprivileged user and copy the DLL renamed to Shcore.dll to C:\Python27 (in case you used Python as the DLL planting vector)
Now there are two options in order to trigger the vulnerability
In case the administrator is not logged in, log in as administrator (fastest way)
If the administrator is already logged in – it will take several minutes. The reason is, 360 launches periodically processes in the background. Any of them will trigger the vulnerability and execute the code. Test have shown this is a matter of minutes.