CVE-2020-35364

Vulnerability

Beijing Huorong Internet Security version 5.0.55.2 contains a privilege escalation vulnerability. A non-admin user can inject arbitrary code into a running process handled by the Huorong security software. The injection can be performed without special permissions due to insufficient access controls. Once code is injected, the attacker must wait for a Huorong services restart or a system reboot for the injected code to execute with higher privileges [1][2].

Exploitation

Exploitation requires local access as a non-admin user. The attacker must inject code into a process (e.g., via common process injection techniques) that is monitored or managed by Huorong. The PoC demonstrates code injection that survives until the next Huorong service restart or system reboot [2]. The attacker then waits for a reboot or manual service restart, which causes the injected code to run in the context of the elevated Huorong service, thereby escalating privileges from a standard user to a higher integrity level (likely SYSTEM) [1].

Impact

Successful exploitation allows a non-admin user to gain elevated privileges, potentially SYSTEM-level access, on the affected Windows system. This compromises confidentiality, integrity, and availability – the attacker can execute arbitrary code with high privileges, install programs, modify system files, and create new accounts with full user rights [1].

Mitigation

No vendor fix or mitigation has been publicly disclosed as of the publication date (2020-12-26). Users are advised to apply the principle of least privilege and monitor for unusual process injection attempts. The vulnerability is not known to be listed in CISA's KEV. Users of Huorong Internet Security 5.0.55.2 should consider updating to a newer version if available, or restricting local access to trusted users only [1][2].