One Article Review
| Source |  ProjectZero |
|---|---|
| Identifiant | 8644883 |
| Date de publication | 2025-01-30 09:57:37 (vue: 2025-01-30 18:07:34) |
| Titre | Windows Exploitation Tricks: Trapping Virtual Memory Access (2025 Update) |
| Texte | Posted by James Forshaw, Google Project Zero Back in 2021 I wrote a blog post about various ways you can build a virtual memory access trap primitive on Windows. The goal was to cause a reader or writer of a virtual memory address to halt for a significant (e.g. 1 or more seconds) amount of time, generally for the purpose of exploiting TOCTOU memory access bugs in the kernel. The solutions proposed in the blog post were to either map an SMB file on a remote server, or abuse the Cloud Filter API. This blog isn\'t going to provide new solutions, instead I wanted to highlight a new feature of Windows 11 24H2 that introduces the ability to abuse the SMB file server directly on the local machine, no remote server required. This change also introduces the ability to locally exploit vulnerabilities which are of the so-called "False File Immutability" bug class.All Change Please The change was first made public, at least as far as I know, in this blog post. Microsoft\'s blog post described this change in Windows Insider previews, however it has subsequently shipped in Windows 11 24H2 which is generally available. The TL;DR; is the SMB client on Windows now supports specifying the destination TCP port from the command line\'s net command. For example, you can force the SMB client to use port 12345 through the command net use \\localhost\c$ /TCPPORT:12345. Now accessing the UNC path \\localhost\c$\blah will connect through port 12345 instead of the old, fixed port of 445. This feature works from any user, administrator access is not required as it only affects the current user\'s logon session. The problem encountered in the previous blog post was you couldn\'t bind your fake SMB server to port 445 without shutting down the local SMB server. Shutting down the server can only be done as an administrator, defeating most of the point of the exploitation trick. By changing the client port to one which isn\'t currently in use, we can open files via our fake SMB server and perform the delay locally without needing to use the Cloud Filter API. This still won\'t allow the technique to work in a sandbox fortunately. Note, that an administrator can disable this feature through Group Policy, but it is enabled by default and non-enterprise users are never likely to change that. I personally think making it enabled by default is a mistake that will come back to cause problems for Windows going forward. I\'ve |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | /tcpport:12345 12345 2021 2025 24h2 445 ability abuse access accessing address administrator affects all allow also amount any api are attack available back bind blah will blog bug bugs build but called can cause change changing class client cloud come command connect couldn current currently default defeating delay described destination different directly disable done down either enabled encountered enterprise example exploit exploitation exploiting fake false far feature file files filter finds first fixed force forshaw fortunately forward from generally goal going google group halt has highlight hopefully however immutability insider instead introduces isn james kernel know least likely line local localhost locally logon machine made making map memory microsoft mistake more most needing net net command never new non not note now old one only open path perform personally please point policy port post post about posted previews previous primitive problem problems project proposed provide public purpose reader remote required sandbox seconds server server to session shipped shutting significant smb solutions someone specifying subsequently supports tcp technique think through time tl;dr; toctou trap trapping trick tricks: unc update updated use useful user users various virtual vulnerabilities wanted ways which will windows without won work works writer wrote your zero |
| Tags | Vulnerability Threat Cloud |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.