来源

关联漏洞

描述

POC OF CVE-2022-21970

介绍

## [CVE-2022-21970](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21970)

## Description
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. 
This vulnerability allows an attacker to execute javascript code on every host without permission, also an attacker can steal local system files, and also he can manipulate the actions against the machine and result in changing internal developer settings in Microsoft Edge.

- NOTE: In this example, Microsoft Edge executes a malicious script without problems.
This is just a malicious .bat file that reboots the infected machine, and it's only for testing!
The attacker can create a malicious file that can take a privileges escalation, malware, spyware, or kernel exploit file and harm seriously your device!
Not correctly sanitizing and checking for that what users download on their machines by using a MsEdge!

NOTE after the exploit: A malicious user, or whatever user can execute directly malicious .bat files which are created - generated from this javascript exploit by using MsEdge. 😁
According to Edge, this file is safe to run and open. 😁

------------------------------------------------------------------------------------------------------------------------------------------------

## FAQ
What is the version information for this release?

Microsoft Edge Version	Date Released	Based on Chromium Version

97.0.1072.55 | 1/6/2022	 | 97.0.4692.71

## STATUS:
- Patched and fixed on!
![Edge-Fix](https://user-images.githubusercontent.com/86009160/197056883-8e396803-9d70-429c-b108-ae74191bb654.png)

------------------------------------------------------------------------------------------------------------

# The next test is checking if this is fully patched! 🤫 😛 😎

## Proof and simple browser test MsEdge: Edge is blocking `.sys` files because they can harm your device:

![edge-patch](https://user-images.githubusercontent.com/86009160/197057034-37fbb1e9-966e-42c9-842c-d5eaca4414a6.png)

## This proof of concept is shown as to how the MsEdge browser NOT blocking `.bat` files, and this is a problem.

- NOTE: A malicious user, or whatever user can execute directly malicious `.bat` files which are created - generated by using exactly MsEdge and this `javascript exploit`. 
- This is ridiculous and incorrect sanitizing!😁
- According to Edge, this file is safe to run and open. 😁

- This vulnerability allows and stores the vulnerable files on the local storage. 
- No, this is not a problem 😬 😁 😂, because this malicious files are generated from Edge 😬 😁 😂 by using this javascript exploit.😁
- Conclusion: If the user is decided to execute the malicious file directly from the Edge browser, boom the game is over...... 

- Screenshot, example:

![Screenshot 2022-01-18 122501](https://user-images.githubusercontent.com/86009160/197057094-e82f5861-96d1-4dff-92a5-8296cbe18dbb.png)

## In Action:

1. download the PoC

2. extracted somewhere

3. Execute

```cmd
start msedge C:\Users\user2022\Desktop\ExploitServer\examples\exploit.html
```
## Example from the function():

```java
    $start.onclick = () => {
        const blob = new Blob(['shutdown /r'])
        const fileStream = streamSaver.createWriteStream('pwned.bat', {
          size: blob.size // Makes the percentage visiable in the download
        })

```

## Proof and Exploit:

- BR Malwareman007

文件快照

 [4.0K]  /data/pocs/b2381ae4195dc9d8d65e6a3279c09e52ad30138b
├── [ 34K]  LICENSE
├── [4.0K]  POC
│   └── [4.0K]  ExploitServer
│       ├── [4.0K]  examples
│       │   ├── [1.7K]  exploit.html
│       │   └── [6.2K]  zip-stream.js
│       ├── [ 923]  package.json
│       ├── [ 11K]  README.md
│       ├── [9.4K]  StreamSaver.js
│       └── [3.5K]  sw.js
└── [3.3K]  README.md

3 directories, 8 files

备注