exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Zillya Total Security 3.0.2367.0 / 3.0.2368.0 Local Privilege Escalation

Zillya Total Security 3.0.2367.0 / 3.0.2368.0 Local Privilege Escalation
Posted Dec 5, 2022
Authored by M. Akil Gundogan

Zillya Total Security versions 3.0.2367.0 and 3.0.2368.0 suffer from a local privilege escalation vulnerability via a symlink vulnerability when using the quarantine module.

tags | exploit, local
SHA-256 | 2dd73b1e8ea08e5ab446f87179141526db439ac124db481912ba977a9d7b4e24

Zillya Total Security 3.0.2367.0 / 3.0.2368.0 Local Privilege Escalation

Change Mirror Download
# Title: Zillya Total Security - Link Following Local Privilege Escalation (AVGater) Vulnerability
# Date: 02.12.2022
# Author: M. Akil Gündoğan
# Contact: https://twitter.com/akilgundogan
# Vendor Homepage: https://zillya.com/
# Software Link: (https://download.zillya.com/ZTS3.exe) / (https://download.zillya.com/ZIS3.exe)
# Version: IS (3.0.2367.0) / TS (3.0.2368.0)
# Tested on: Windows 10 Professional x64
# PoC Video: https://youtu.be/vRCZR1kd89Q

Vulnerabiliy Description:
---------------------------------------
Zillya's processes run in SYSTEM privileges. The user with low privileges in the system can copy any file they want
to any location by using the quarantine module in Zillya. This is an example of AVGater vulnerabilities that are often
found in antivirus programs.

You can read the article about AVGater vulnerabilities here:
https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine/

The vulnerability affects both "Zillya Total Security" and "Zillya Internet Security" products.

Step by step produce:
---------------------------------------
1 - Attackers create new folder and into malicious file. It can be a DLL or any file.

2 - Attacker waits for "Zillya Total Security" or "Zillya Internet Security" to quarantine him.

3 - The created folder is linked with the Google Symbolic Link Tools "Create Mount Point" tools to the folder that
the current user does not have write permission to.

You can find these tools here: https://github.com/googleprojectzero/symboliclink-testing-tools

4 - Restores the quarantined file. When checked, it is seen that the file has been moved to an unauthorized location.
This is evidence of escalation vulnerability. An attacker with an unauthorized user can write to directories that require
authorization. Using techniques such as DLL hijacking, it can gain access to SYSTEM privileges.

Advisories:
---------------------------------------
Developers should not allow unauthorized users to restore from quarantine unless necessary.

Also, it should be checked whether the target file has been copied to the original location. Unless necessary, users
should not be able to interfere with processes running with SYSTEM privileges. All processes on the user's side should
be run with normal privileges.

Disclosure Timeline:
---------------------------------------
13.11.2022 - Vulnerability reported via email but no response was given and the fix was not released.
02.12.2022 - Full disclosure.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close