关联漏洞
描述
CVE-2022-25943
介绍
## JVN Advisory
https://jvn.jp/en/vu/JVNVU90673830/
## The following CVE number have been assigned:
- <a href="https://www.cve.org/CVERecord?id=CVE-2022-25943">CVE-2022-25943</a>
# KINGSOFT WPS Office LPE
***WPS Office*** is an office suite for Microsoft Windows, macOS, Linux, iOS, Android, and HarmonyOS developed by Zhuhai-based Chinese software developer Kingsoft.
## Exploring WPS
One of the nicest features that WPS offers is a cloud service to save your documents , work etc ... , this service by default is set to manual , it's started only if you navigate to WPS cloud into the WPS office panel but the service gets started with the current user privilege (Low priv).
## Vulnerability
Looking into the early imports done by wps cloud service once started , it looks like it will first try to import a DLL called **CRYPTSP.DLL** and other ones from ***C:\ProgramData\kingsoft\office6\*** if they aren't there and by default they aren't , the service will load it from System32 as you can see : <br/><br/>
<img src="/assets/process_monitor.PNG"/><br/><br/>
The issue here is that the ACL for that directory is configured as read write to all users, an attacker can plant a malicious DLL there and restart the executable , but it gets started as current priv level (low priv user) , unless we start the executable as service (Since it's installed as one) with something like **net start wpscloudsvr** which will start the service as **NT AUTHORITY** . <br/>
The issue here seems to be more of an ***ACL misconfiguration*** .
## Exploit
My exploit is simple , it will copy the crafted DLL ( change Administrator password ) to the target directory restart the service , now an access to administrator account is available , which means I have access to sedebugpriv from there I steal the winlogon token and start cmd as **NT AUTHORITY / System** . <br/>
## PoC
https://user-images.githubusercontent.com/57273771/152659158-7f3a5607-40d9-41b6-85c5-7ed3ca83d0e5.mp4
文件快照
[4.0K] /data/pocs/f6fef30b1e8346452f1578a543579787b3779ee9
├── [4.0K] assets
│ ├── [ 99K] process_monitor.PNG
│ └── [ 1] readme
├── [4.0K] bo3o
│ ├── [ 82K] CRYPTSP.dll
│ ├── [112K] NT_sys.exe
│ └── [129K] wpscloudsvc priv escalation.exe
├── [1.0K] LICENSE
├── [1.9K] README.md
└── [4.0K] src
├── [ 764] dll.cpp
├── [2.7K] exploit.cpp
└── [4.4K] nt-sys.cpp
3 directories, 10 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。