Qi-Anxin Tianqing Endpoint Security Management System Privilege Escalation Vulnerability via DLL Hijacking

A vulnerability in Qi-Anxin Tianqing Endpoint Security Management System version 10.0 allows low-privilege users to restore quarantined files to arbitrary locations, such as C:\Windows\System32. This capability can be exploited by writing malicious DLL files that take advantage of known Windows DLL hijacking vulnerabilities to escalate privileges. In this case, the vulnerability was tested and confirmed on version 10.0 of the software.

Impact

Exploitation of this vulnerability could lead to unauthorized privilege escalation, allowing a user to gain elevated rights and potentially access or modify sensitive system resources or data.

Reproduction

To reproduce this vulnerability, first create a malicious DLL file named 'sprintcsp.dll' that executes harmful commands. Once the DLL is crafted, it can be placed on the target machine where it will be quarantined by the EDR client. After the file is quarantined, it can be restored and trusted through the EDR client interface. Once restored, the DLL will be written to 'C:\Windows\System32'. After the DLL is in place, a program can be created to exploit a DLL hijacking vulnerability in the 'StorSvc' service, which will execute the malicious DLL with SYSTEM privileges.