POC详情: 3ddfbc942e1146a51051fc18fa1033941d919588

来源
https://github.com/restdone/CVE-2024-31771
关联漏洞
标题: TotalAV 安全漏洞 (CVE-2024-31771)
描述:TotalAV是一套支持多种平台的计算机安全防护软件。该软件包括病毒防护、防钓鱼和防间谍软件等功能。 TotalAV v.6.0.740版本存在安全漏洞,该漏洞源于存在不安全权限漏洞,允许本地攻击者通过精心设计的文件升级权限。
介绍
# CVE-2024-31771 TotalAV Arbitrary File Write 

TotalAV version 6.0.x 


https://github.com/restdone/CVE-2024-31771/assets/42227817/ffe0c2ec-4ea6-4c29-852f-456b2e62f5b1


Timeline:

13th Feb, 2024 : Discovered 6.0.740 vulnerable and reported to TotalAV.

15th Feb, 2024: TotalAV confirmed and reproduced the issue.

19th Feb, 2024: TotalAV was liaising with another vendor. That vendor advised that they were working on it.

18th Mar, 2024 - 19th Apr: Asked for update, no response from TotalAV.

3rd May, 2024: Requested CVE ID and asked TotalAV for further updates. TotalAV replied no update regarding this issue.

11th May, 2024: Version 6.0.1028 was still vulnerable. No mitigation timeline from the vendor.        


Steps:
1. Download a malicious DLL generated by msfvenom (part of the metasploit exploitation software package). In the video, I was targeting a DLL loaded by Windows Update service. 
2. After the DLL has been quarantined, create a junction to link the download file location to C:\Windows\System32\ for example linking c:\users\<username>\downloads\test

   C:\Users\player1\Desktop\CreateMountPoint.exe "C:\Users\player1\Downloads\test" "C:\Windows\System32"

3. Restore the DLL, the file is now written to the mount point- C:\Windows\System32\
   - Using eicar as example, it was written by NT\SYSTEM
   ![CreateBySySTEM](https://github.com/restdone/CVE-2024-31771/assets/42227817/4777d859-f0ef-49ae-b868-b63914e26ee3)

4. After restoring, the DLL is detected as a threat the second time and moved to quarantine again 
5. If the DLL is restored from Quarantine again, the file is written to C:\Windows\System32\ again
6. If Windows Update services are then triggered, it loads the malicious DLL and the attacker obtains nt authority\SYSTEM privileges.

   (New-Object -ComObject Microsoft.Update.Session).CreateUpdateSearcher().Search('IsInstalled=0')



Reference:
https://github.com/googleprojectzero/symboliclink-testing-tools


Special thanks to Filip !!! (https://github.com/Wh04m1001)
文件快照

 [4.0K]  /data/pocs/3ddfbc942e1146a51051fc18fa1033941d919588
├── [2.0K]  README.md
└── [ 21M]  totalAV_MKV.mkv

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。