CVE-2017-12653 in 360 Total Security
Summary
by MITRE
360 Total Security 9.0.0.1202 before 2017-07-07 allows Privilege Escalation via a Trojan horse Shcore.dll file in any directory in the PATH, as demonstrated by the C:\Python27 directory.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/04/2019
CVE-2017-12653 represents a privilege escalation vulnerability affecting 360 Total Security version 9.0.0.1202 and earlier, which was remediated on 2017-07-07. This vulnerability stems from insecure library loading practices within the security software's execution environment, specifically targeting the Windows PATH environment variable. The flaw allows malicious actors to place a crafted Shcore.dll Trojan horse file in any directory within the system PATH, enabling unauthorized privilege escalation when the vulnerable software executes. The demonstration case showed the vulnerability being exploited through placement of the malicious file in the C:\Python27 directory, highlighting how common system directories could be leveraged for attack. This vulnerability directly maps to CWE-426 Untrusted Search Path, which occurs when a program searches for libraries or executables in insecure locations that could be manipulated by attackers. The issue enables attackers to execute arbitrary code with elevated privileges, as the malicious Shcore.dll file would be loaded and executed with the same privileges as the legitimate 360 Total Security application. From an operational perspective, this vulnerability presents a significant risk to enterprise environments where 360 Total Security is deployed, as it allows attackers to bypass standard security controls and gain unauthorized access to sensitive system resources. The attack vector is particularly concerning because it exploits the trust relationship between the security software and the system PATH, which is a fundamental Windows security mechanism. This vulnerability aligns with ATT&CK technique T1068, which covers 'Local Privilege Escalation' through the exploitation of insecure library loading mechanisms. The impact extends beyond individual system compromise, as successful exploitation could allow attackers to establish persistent access, escalate privileges to SYSTEM level, and potentially move laterally within the network. The vulnerability underscores the importance of proper privilege separation and secure coding practices, particularly when dealing with dynamic library loading in security applications. Organizations should implement strict PATH management policies, regularly audit system directories for unauthorized files, and ensure timely patching of security software to prevent exploitation of such vulnerabilities. The remediation process required updating to version 9.0.0.1202 or later, which addressed the insecure PATH traversal mechanism that allowed the Trojan horse file to be loaded with elevated privileges. This vulnerability serves as a critical reminder of the dangers of insecure library loading practices in security software and the importance of maintaining secure execution environments.
The technical exploitation of this vulnerability demonstrates how attackers can leverage the trust model inherent in Windows PATH resolution to gain unauthorized access to privileged system resources. When 360 Total Security executes and searches for required libraries, it follows the standard Windows library loading mechanism which traverses directories in the PATH environment variable in order. The vulnerability exists because the application does not properly validate or restrict the search paths, allowing attackers to place malicious DLL files in directories that are searched before legitimate system directories. This creates a race condition where the malicious Shcore.dll file is loaded instead of the legitimate one, effectively enabling code injection. The vulnerability is particularly dangerous because it operates at the system level, where security software is expected to provide protection, yet it allows attackers to bypass that protection entirely. The use of the Shcore.dll name is significant as it mimics a legitimate Windows system library, making the malicious file less likely to be detected by security mechanisms that might monitor for suspicious file names or locations. This vulnerability type is classified under CWE-426 which specifically addresses the issue of untrusted search paths where programs search for libraries in insecure locations that could be manipulated by attackers. The exploitation requires minimal privileges to place the malicious file in the PATH, making it particularly attractive to attackers who may only have limited access initially. The vulnerability demonstrates a fundamental flaw in the application's security architecture, where the assumption that libraries loaded from the PATH are trustworthy leads to a complete compromise of the system's security model. The remediation of this vulnerability required changes to how the application handles library loading, specifically ensuring that only trusted libraries from secure locations are loaded, and that the PATH environment variable is properly sanitized during execution. Organizations should implement comprehensive security awareness training to prevent unauthorized modifications to system directories and establish strict access controls to prevent attackers from placing malicious files in critical system locations.