CVE-2018-8090 in Total Security
Summary
by MITRE
Quick Heal Total Security 64 bit 17.00 (QHTS64.exe), (QHTSFT64.exe) - Version 10.0.1.38; Quick Heal Total Security 32 bit 17.00 (QHTS32.exe), (QHTSFT32.exe) - Version 10.0.1.38; Quick Heal Internet Security 64 bit 17.00 (QHIS64.exe), (QHISFT64.exe) - Version 10.0.0.37; Quick Heal Internet Security 32 bit 17.00 (QHIS32.exe), (QHISFT32.exe) - Version 10.0.0.37; Quick Heal AntiVirus Pro 64 bit 17.00 (QHAV64.exe), (QHAVFT64.exe) - Version 10.0.0.37; and Quick Heal AntiVirus Pro 32 bit 17.00 (QHAV32.exe), (QHAVFT32.exe) - Version 10.0.0.37 allow DLL Hijacking because of Insecure Library Loading.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/10/2020
Quick Heal Total Security and related security products suffer from a critical DLL hijacking vulnerability that stems from insecure library loading practices within their executable components. This vulnerability affects multiple product variants including Total Security, Internet Security, and AntiVirus Pro across both 32-bit and 64-bit architectures. The flaw manifests in the way these applications load dynamic link libraries, creating opportunities for malicious actors to execute arbitrary code with elevated privileges. The vulnerable executables QHTS64.exe, QHTSFT64.exe, QHIS64.exe, QHISFT64.exe, QHAV64.exe, and QHAVFT64.exe demonstrate improper handling of library search paths that allows attackers to place malicious DLL files in locations where the legitimate applications will load them automatically.
The technical root cause of this vulnerability aligns with CWE-426, which describes insecure library loading conditions that enable attackers to influence the execution flow of applications. When these Quick Heal applications execute, they search for required DLL files in a specific order that includes the current working directory, making it possible for an attacker to place a malicious DLL with the same name as a legitimate dependency. This insecure search order allows for privilege escalation attacks since the applications typically run with elevated privileges during system operations. The vulnerability is particularly dangerous because it affects core security software that users trust to protect their systems, creating a significant attack surface that adversaries can exploit to gain persistent access.
The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with potential pathways for system compromise and privilege escalation. An attacker who can successfully place a malicious DLL in the application's working directory or any location in the library search path can effectively hijack the execution flow of these security applications. This creates a dangerous scenario where malicious code can be executed under the context of the security software, potentially bypassing security controls or even modifying the security application itself to disable protective measures. The vulnerability affects systems where these applications are installed and running with elevated privileges, making it particularly concerning for enterprise environments where security software typically operates with administrative rights.
Mitigation strategies for this vulnerability should focus on implementing proper DLL search path security measures and restricting the execution environment of vulnerable applications. System administrators should ensure that the current working directory is not included in the DLL search path for critical applications, and that applications are configured to use secure library loading practices. The recommended approach involves configuring applications to use the LoadLibraryEx function with the LOAD_WITH_ALTERED_SEARCH_PATH flag or implementing application whitelisting to restrict which DLLs can be loaded. Additionally, network administrators should consider implementing network-based restrictions to prevent attackers from placing malicious DLL files in locations accessible to these applications. Organizations should also maintain up-to-date security patches from Quick Heal and consider deploying security tools that monitor for suspicious DLL loading activities to detect potential exploitation attempts. This vulnerability demonstrates the critical importance of secure coding practices and proper library loading mechanisms in security software, as these applications are often the first line of defense in protecting systems from other attacks. The ATT&CK framework categorizes this type of vulnerability under privilege escalation techniques, specifically leveraging insecure library loading as a method to gain elevated privileges and maintain persistence within compromised systems.