Quick Heal Total Security Quarantine Management Privilege Escalation Vulnerability

A vulnerability in Quick Heal Total Security version 23.0.0 has been identified within the quarantine management component. The issue arises from inadequate validation of restore paths and improper permission handling, which allow low-privileged local users to restore quarantined files to protected system directories. This vulnerability can be exploited by local attackers to place files in high-privilege locations, potentially leading to privilege escalation.

Impact

Exploitation of this vulnerability allows arbitrary file writes to high-integrity directories, local privilege escalation, and could enable service or DLL hijacking, or execution of attacker-controlled binaries with elevated privileges.

Reproduction

To reproduce this vulnerability, a low-privileged user must first quarantine a file. Once the file is quarantined, it can be mounted using the 'CreateMountlike' function. After mounting, the user can initiate the restore process by selecting or redirecting the restore path to a protected directory. The Quick Heal service will then write the file to the specified location without validating the path or checking if the user has permission to write there.

Remediation

Until a patch is released, it is recommended to disable or restrict quarantine mount and restore capabilities for non-administrator users. Additionally, monitor protected directories for unexpected writes by Quick Heal services and apply policy rules to prevent unauthorized restorations to system paths.