xtex/qq-tim-elevation
Archived
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
CVE-2023-34312
This repository has been archived on 2023-07-11. You can view files and clone it, but cannot push or open issues or pull requests.
1 commit 1 branch 0 tags 683 KiB
Rust 100%
Go to file
vi3t1 93876c67e7 first commit
2023-01-01 00:00:15 +00:00
poc first commit 2023-01-01 00:00:15 +00:00
samples first commit 2023-01-01 00:00:15 +00:00
.gitattributes first commit 2023-01-01 00:00:15 +00:00
.gitignore first commit 2023-01-01 00:00:15 +00:00
demonstration.gif first commit 2023-01-01 00:00:15 +00:00
image0.png first commit 2023-01-01 00:00:15 +00:00
image1.png first commit 2023-01-01 00:00:15 +00:00
README.md first commit 2023-01-01 00:00:15 +00:00

README.md

Tencent QQ/TIM Local Privilege Elevation

Affected Products:

  • QQ 9.7.1.28940 ~ 9.7.8.29039
  • TIM 3.4.5.22071 ~ 3.4.7.22084

Affected Components:

  • QQProtect.exe 4.5.0.9424 (in TIM 3.4.5.22071)
  • QQProtect.exe 4.5.0.9426 (in QQ 9.7.1.28940)
  • QQProtectEngine.dll 4.5.0.9424 (in TIM 3.4.5.22071)
  • QQProtectEngine.dll 4.5.0.9426 (in QQ 9.7.1.28940)

1. Summary

Tencent QQ and TIM are two instant messaging softwares developped by Shenzhen Tencent Computer System Co., Ltd. They both have a component QQProtect.exe locating in %ProgramFiles(x86)%\Common Files\Tencent\QQProtect\bin. QQProtect.exe is installed as a Windows service named QPCore and runs as NT Authority\SYSTEM automatically when system starts up. Both the component QQProtect.exe and its dependent DLL QQProtectEngine.dll have an arbitrary address write vulnerability. An attacker with low privilege can load evil DLL inside QQProtect.exe process by combining the two vulnerability and gets NT Authority\SYSTEM shell.

2. Vulnerability

The first vulnerability is the code at QQProtect.exe+0x40c9f8:

where a2 is a pointer that can be controlled by an attacker and dword_41a740 is a global variable whose value is 0x00000001. So an attacker can write the value DWORD(1) at any address.

The second vulnerability is the code at QQProtectEngine.dll+0x3B4F6:

where v3 is a pointer that can be controlled by an attacker. So an attacker can write the value std::bit_cast<DWORD>(ptr) + 4 at any given address ptr.

An attacker can tamper with a function pointer resides in QQProtect.exe and use ROP chains to execute arbitray code easily due to the fact that QQProtect.exe does not have ASLR protection.

3. Proof of concepts

The poc code is written in Rust language. You should use i686-pc-windows-msvc toolchain to compile it.

$ cd poc
$ cargo +stable-i686-pc-windows-msvc build --release --config "build.rustflags = [\"-C\", \"target-feature=+crt-static\"]"

You will get two DLLs:

target\release\tinyxml.dll
target\release\evil.dll

Then put the two Dlls above and %ProgramFiles(x86)%\Common Files\Tencent\QQProtect\bin\QQProtect.exe togather in a folder.

Finally get NT Authority\SYSTEM shell with one command:

$ QQProtect.exe <PATH TO evil.dll>

4. Demonstration

demonstration.gif