Quick Heal Total Security Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID: 1023225|
SecurityTracker URL: http://securitytracker.com/id/1023225
(Links to External Site)
Updated: Nov 23 2009|
Original Entry Date: Nov 23 2009
Execution of arbitrary code via local system, Root access via local system|
Exploit Included: Yes |
Version(s): 2009; possibly other versions|
Nishant Das Patnaik reported a vulnerability in Quick Heal Total Security. A local user can obtain elevated privileges on the target system.|
The software installs program files with 'Full Control' privileges for the 'Everyone' group. A local user can modify the executable files to cause arbitrary code to be executed on the target system with System privileges when the system starts up.
The 'SCANWSCS.EXE' and 'OPSSVC.EXE' files are affected.
Quick Heal Antivirus Plus 2009 is also affected.
A local user can obtain System privileges on the target system.|
No solution was available at the time of this entry.|
Vendor URL: www.quickheal.co.in/ (Links to External Site)
Access control error, Configuration error|
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: Vulnerability Report *Edited*|
My Name is Nishant Das Patnaik. I'm an independent security researcher based
out at India. I have discovered a Local Escalation of Privilege
Vulnerability in multiple products of Quick Heal Technologies Pvt. Ltd.
Details are available in the attached file.
Nishant Das Patnaik
Local privilege escalation vulnerability in Quick Heal Total Security 2009
Quick Heal Technologies Pvt. Ltd. (India)
VULNERABLE PRODUCTS (TARGET)
Antivirus Plus 2009
Total Security 2009
Previous versions are very likely to be affected
DETAILS (NATURE OF PROBLEM)
Quick Heal Total Security 2009 installs the own program files with insecure permissions
(Everyone - Full Control). Local attacker (unprivileged user) can
replace some files (for example, executable files of Total Security 2009 services)
by malicious file and execute arbitary code with SYSTEM privileges. This
is local privilege escalation vulnerability.
For example, the following attack scenario could be used:
1. An attacker (unprivileged user) renames one of the program
files (below, the FILE). For example, the FILE could be any of the following
2. An attacker copies his malicious executable file (with same name as
the old filename of the FILE - SCANWSCS.exe) to program files folder.
3. Restart the system.
After restart attackers malicious file will be executed with SYSTEM
This is local privilege escalation vulnerability. An attacker must have
valid logon credentials to a system where vulnerable software is
Nishant Das Patnaik