Shulou(Shulou.com)05/31 Report--

The purpose of this article is to share with you about how to protect against the 0 day vulnerability in reading arbitrary files in Windows. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Overview of vulnerabilities:

SandboxEscaper, a foreign security researcher, once again announced the details of the new Windows 0 day vulnerability and PoC on Twitter. This is the third windows0 day vulnerability announced by the researcher since August 2018. The vulnerability disclosed this time could result in arbitrary file reading. The vulnerability could allow a low-privileged user or malicious program to read the contents of an arbitrary file on the target Windows host, but not write to the file. Until Microsoft's official patch is released, all windows users will be affected by this vulnerability.

At present, the author's Twitter account has been frozen, the Github account has been blocked, but the vulnerability PoC has been made public, please bring it to the attention of relevant users.

Vulnerability principle:

The vulnerability is found in "MsiAdvertise." Calling this function in will cause the installer service to copy files. This will copy any file that can be controlled with the first parameter to c:windows\ installer... The check is completed during the simulation, but there is still a TOCTOU using the connection. This means that we can copy it to any file in SYSTEM, and the target file is always readable. This can lead to arbitrary file read vulnerabilities.

Scope of influence:

All Windows versions

The idea of reappearance:

1. Create two users on the same Windows host, one is the test of the administrator group and the other is the bmjoker of the ordinary user group

two。 Create a file under the test (administrators group) directory

3. Log into the bmjoker (ordinary user group) account and use the author's poc to read the files under the test (administrator) directory

Vulnerability POC download link: https://cloud.nsfocus.com/api/krosa/secwarning/files/window arbitrary file read vulnerability troubleshooting tool .zip

Recurrence of vulnerabilities:

Environment: Windows 10

First, create two test users, test (administrator group) and bmjoker (ordinary user group), as administrators.

You can see that two users created successfully

Log in to the test user and create a 1.txt file on the desktop

To test whether it can be read from any file across directories, create a 2.txt under disk C.

Then log in to the bmjoker user and use the author's POC to try to read the files under the administrator's account

You can see that the 1.txt has been read successfully

Try to read any file across a directory

Successfully read the file under disk C.

Because this vulnerability takes advantage of TOCTOU, threads will be created continuously while POC is running, so the CPU usage of the system will reach 100%.

Protection recommendations:

The vulnerability cannot be exploited remotely, so if you want to trigger the vulnerability, you need to run the exploit program on the target host. As of the release of this announcement, Microsoft's official website has not released a fix. Please pay attention to the official repair announcement timely and continuously.

In order to prevent attackers from using this vulnerability to read local sensitive information, please carefully run files of unknown sources, install antivirus software in time, and monitor the intrusion of attackers in real time.

Thank you for reading! On "Windows arbitrary file read 0 day vulnerability protection" this article is shared here, I hope the above content can be of some help to you, so that you can learn more knowledge, if you think the article is good, you can share it out for more people to see it!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.