黑鸟每日安全资源推送​第27期

释放双眼,带上耳机,听听看~!

360 Total Security 软件(360 杀软)Shcore.dll DLL 劫持提权漏洞https://blogs.securiteam.com/index.php/archives/3314

 ExecScent:在真实网络下使用自适应控制协议模板挖掘新的C&C域名http://paper.kakapo.ml/?p=177

Torrent repack 恶意软件分析

http://mrexodia.cf/reversing/2017/07/12/Analyzing-torrent-repack-malware

利用Office模版注入攻击关键基础设施(原文在下载链接中)

http://bobao.360.cn/learning/detail/4098.html

链接: http://pan.baidu.com/s/1hrAv8Te 密码: 33kg

求关注

360 Total Security 软件(360 杀软)Shcore.dll DLL 劫持提权漏洞(原文)


SSD Advisory – 360 Total Security Privileged Escalation

Want to get paid for a vulnerability similar to this one?

Vulnerability Summary
The following advisory describes an Privileged Escalation vulnerability found in 360 Total Security.

360 Total Security offers your PC complete protection from Viruses, Trojans and other emerging threats.

Whether you are shopping online, downloading files or chatting with your friends you can be sure that 360 Total Security is there to keep you safe and your computer optimized. Clean-up utility is just one click away to keep your PC in optimal condition.

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
The vendor has released patches to address this vulnerability and has only provided these details in response to our query on the status: “We will release this patch on 7/7”

Vulnerability Details
When 360 Total security is load on Windows machine the binaries try to load a DLL (Shcore.dll) in order to display correctly in High DPI displays.

360 Total security install Shcore.dll on Windows 8.1 and above, but not in previous versions (for example – Windows 7 and XP). For this reason, the administration components of 360 Total Security try to find and load this DLL in Windows 7 too, where it does not exist.

Placing a DLL named Shcore.dll in a directory listed in the PATH system variable will load this in the memory space of 360 software. Loading the DLL inside a 360 administration process gives us privileges of administrator.

Proof of Concept

  • Install 360 Total Security and optionally update to the latest version

  • Log into a Windows 7 and create a DLL planting environment

  1. The easiest way is to install Python for Windows

  2. “Add Python to the path” in the installer (most common install option)

  • Log in as a totally unprivileged user and copy the DLL renamed to Shcore.dll to C:\Python27 (in case you used Python as the DLL planting vector)

  • Now there are two options in order to trigger the vulnerability

  1. In case the administrator is not logged in, log in as administrator (fastest way)

  2. If the administrator is already logged in – it will take several minutes. The reason is, 360 launches periodically processes in the background. Any of them will trigger the vulnerability and execute the code. Test have shown this is a matter of minutes.

本文源自微信公众号:黑鸟

人已赞赏
安全工具

APT组织Tick再度出击;Olympic Destroyer仍在活动;URLAzone恶意软件攻击

2019-10-16 10:11:12

安全工具

通过存在7年之久的“空格”特征识别在野Cobalt Strike服务器组件(含规则)

2019-10-16 10:11:18

0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
今日签到
有新私信 私信列表
搜索