0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Zillya Total Security 3.0.2367.0 - Local Privilege Escalation Vulnerability
# Exploit Title: Zillya Total Security 3.0.2367.0 - Local Privilege Escalation # Author: M. Akil Gündoğan # Contact: https://twitter.com/akilgundogan # Vendor Homepage: https://zillya.com/ # Software Link: (https://download.zillya.com/ZTS3.exe) / (https://download.zillya.com/ZIS3.exe) # Version: IS (3.0.2367.0) / TS (3.0.2368.0) # Tested on: Windows 10 Professional x64 # PoC Video: https://youtu.be/vRCZR1kd89Q Vulnerabiliy Description: --------------------------------------- Zillya's processes run in SYSTEM privileges. The user with low privileges in the system can copy any file they want to any location by using the quarantine module in Zillya. This is an example of AVGater vulnerabilities that are often found in antivirus programs. You can read the article about AVGater vulnerabilities here: https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine/ The vulnerability affects both "Zillya Total Security" and "Zillya Internet Security" products. Step by step produce: --------------------------------------- 1 - Attackers create new folder and into malicious file. It can be a DLL or any file. 2 - Attacker waits for "Zillya Total Security" or "Zillya Internet Security" to quarantine him. 3 - The created folder is linked with the Google Symbolic Link Tools "Create Mount Point" tools to the folder that the current user does not have write permission to. You can find these tools here: https://github.com/googleprojectzero/symboliclink-testing-tools 4 - Restores the quarantined file. When checked, it is seen that the file has been moved to an unauthorized location. This is evidence of escalation vulnerability. An attacker with an unauthorized user can write to directories that require authorization. Using techniques such as DLL hijacking, it can gain access to SYSTEM privileges. Advisories: --------------------------------------- Developers should not allow unauthorized users to restore from quarantine unless necessary. Also, it should be checked whether the target file has been copied to the original location. Unless necessary, users should not be able to interfere with processes running with SYSTEM privileges. All processes on the user's side should be run with normal privileges. Disclosure Timeline: --------------------------------------- 13.11.2022 - Vulnerability reported via email but no response was given and the fix was not released. 02.12.2022 - Full disclosure. # 0day.today [2024-09-28] #