bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/51151.txt
Exploit-DB 42ade901fe DB: 2023-03-31 
22 changes to exploits/shellcodes/ghdb

LISTSERV 17 - Insecure Direct Object Reference (IDOR)
LISTSERV 17 - Reflected Cross Site Scripting (XSS)

Router ZTE-H108NS - Stack Buffer Overflow (DoS)

Router ZTE-H108NS - Authentication Bypass

Boa Web Server v0.94.14 - Authentication Bypass

Covenant v0.5 - Remote Code Execution (RCE)

Dreamer CMS v4.0.0 - SQL Injection

Shoplazza 1.1 - Stored Cross-Site Scripting (XSS)

Virtual Reception v1.0 - Web Server Directory Traversal

4images 1.9 - Remote Command Execution (RCE)

ClicShopping v3.402 - Cross-Site Scripting (XSS)

Concrete5 CME v9.1.3 - Xpath injection

Device Manager Express 7.8.20002.47752 - Remote Code Execution (RCE)

Ecommerse v1.0 - Cross-Site Scripting (XSS)

Eve-ng 5.0.1-13 - Stored Cross-Site Scripting (XSS)

myBB forums 1.8.26 - Stored Cross-Site Scripting (XSS)

WPForms 1.7.8 - Cross-Site Scripting (XSS)

CrowdStrike Falcon AGENT  6.44.15806  - Uninstall without Installation Token

Lavasoft web companion 4.1.0.409 - 'DCIservice' Unquoted Service Path

Zillya Total Security 3.0.2367.0  - Local Privilege Escalation
2023-03-31 00:16:26 +00:00

48 lines
No EOL
2.4 KiB
Text
Raw Permalink Blame History

# Exploit Title: Zillya Total Security 3.0.2367.0 - Local Privilege Escalation
# Date: 02.12.2022
# Author: M. Akil Gündoğan
# Contact: https://twitter.com/akilgundogan
# Vendor Homepage: https://zillya.com/
# Software Link: (https://download.zillya.com/ZTS3.exe) / (https://download.zillya.com/ZIS3.exe)
# Version: IS (3.0.2367.0) / TS (3.0.2368.0)
# Tested on: Windows 10 Professional x64
# PoC Video: https://youtu.be/vRCZR1kd89Q
Vulnerabiliy Description:
---------------------------------------
Zillya's processes run in SYSTEM privileges. The user with low privileges in the system can copy any file they want
to any location by using the quarantine module in Zillya. This is an example of AVGater vulnerabilities that are often
found in antivirus programs.
You can read the article about AVGater vulnerabilities here:
https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine/
The vulnerability affects both "Zillya Total Security" and "Zillya Internet Security" products.
Step by step produce:
---------------------------------------
1 - Attackers create new folder and into malicious file. It can be a DLL or any file.
2 - Attacker waits for "Zillya Total Security" or "Zillya Internet Security" to quarantine him.
3 - The created folder is linked with the Google Symbolic Link Tools "Create Mount Point" tools to the folder that
the current user does not have write permission to.
You can find these tools here: https://github.com/googleprojectzero/symboliclink-testing-tools
4 - Restores the quarantined file. When checked, it is seen that the file has been moved to an unauthorized location.
This is evidence of escalation vulnerability. An attacker with an unauthorized user can write to directories that require
authorization. Using techniques such as DLL hijacking, it can gain access to SYSTEM privileges.
Advisories:
---------------------------------------
Developers should not allow unauthorized users to restore from quarantine unless necessary.
Also, it should be checked whether the target file has been copied to the original location. Unless necessary, users
should not be able to interfere with processes running with SYSTEM privileges. All processes on the user's side should
be run with normal privileges.
Disclosure Timeline:
---------------------------------------
13.11.2022 - Vulnerability reported via email but no response was given and the fix was not released.
02.12.2022 - Full disclosure.
Reference in a new issue View git blame Copy permalink