在复现windows 的最新0day(任意用户下,可以读取任意文件)之前,先简单介绍下windows 下用户管理需要的基本命令。
文章首发公众号,欢迎大家关注,并进技术交流群(363034250),共同进步哈。
windows 用户管理基本命令
查看用户
net user
查看所有用户:
查看用户权限
net user xxx
该命令可以查看用户的权限,如下图,在本地组成员
处可以看到该用户的权限:
users组
为普通用户权限;
administrator组
为系统管理员权限,可以修改其他用户权限,比如将users组
中成员添加到administrator
中。
添加用户
net user username password /add
默认创建的是user
组权限用户。
提升用户权限
net localgroup administrators username /add
删除用户
net user username /delete
windows中最高权限用户是,真正拥有“完全访问权”的“SYSTEM”成员,关于用户权限问题,可参考该博客。
任意文件读取漏洞背景介绍
该漏洞是国外一个叫做SandboxEscaper的安全研究人员发现的,poc公布于其博客(目前其博客访问设置了权限)和github中,该漏洞位于MsiAdvertiseProduct
函数中。该函数具备生产产品推送脚本或者将产品信息通告给计算机的功能。常用于安装程序向注册表写入一些产品信息以及快捷方式时。
调用这个函数可以导致安装程序服务进行任意文件的复制操作,而攻击者可以控制这个调用过程。尽管在这个函数的调用过程中做了一些检查,但是可以通过TOCTOU来绕过这个防御。
TOCTOU: 文件竞态访问条件攻击(time of check time of use)一个程序先通过 access 判断用户是否有权限访问一个文件,然后通过 open 打开该文件。这样,攻击者可以在时间间隙中间改变这个文件。 攻击者可以给进程发送信号使进程阻塞。
原文描述如下:
The bug is in “MsiAdvertiseProduct”
Calling this function will result in a file copy by the installer service.
This will copy an arbitrary file that we can control with the first parameter into c:\windows\installer … a check gets done while impersonating, but using junctions there is still a TOCTOU .. meaning we can get it to copy any file as SYSTEM, and the destination file will always be readable. This results an in arbitrary file read vulnerability.
To reproduce:
Make sure to copy both readfile.exe and “file” (found under folder PoC-Files)… and put them in the same directory.
Useage: readfile.exe targetfile (where targetfile is the file to read, IE: “readfile.exe c:\users\test\desktop\desktop.ini”)
Run on 2 cores or more, this should work on one core with some modifications.. since you should be able to hit the timing with oplocks too (but I'm lazy).. you should be able to see something like this if it works: https://www.youtube.com/watch?v=x4P2H64GI1o
The easiest way to confirm the bug is to make two local accounts and read the desktop.ini of the other account.
Even without an enumeration vector, this is still bad news, because a lot of document software, like office, will actually keep files in static locations that contain the full path and filesnames of recently opened documents.. thus by reading files like this, you can get filenames of documents created by other users.. the filesystem is a spiderweb and references to user created files can be found everywhere.. so not having an enumeration bug is not that big of a deal.
If shadow copies are enabled you can obviously steal the SAM and SYSTEM hive I assume...
Maybe there's some other usecases.. but I'm not very smart, so I don't know.
复现
测试环境
-
windows 7
-
test用户为administrator权限
-
striveben为users(普通用户)权限
首先使用test用户创建一个test.txt文件,如下图:
切换到striveben用户,这时候去访问该test文件为无权限,如下图:
使用任意文件读写的poc,可以读取到在test用户下创建的test.txt文件内容,如下图:
该poc已在Windows 7、10、server 2008 r2测试成功
有了这个poc,想必在某些场合会比mimikatz
方便好用。