CVE-2024-57394 PoC — QiANXIN Tianqing Endpoint Security Management System 安全漏洞

Source

Associated Vulnerability

Description

CVE-2024-57394

Readme

# CVE-2024-57394
A vulnerability was identified in the Qi-ANXIN Tianqing Endpoint Security Management System (tested on version 10.0). This vulnerability allows low-privilege users to restore a quarantined file to an arbitrary location, such as `C:\Windows\System32`.
An attacker can craft a malicious DLL file, restore it to `C:\Windows\System32`, and exploit known DLL hijacking vulnerabilities (e.g., LPE via StorSvc) to escalate privileges to SYSTEM.

# Reproduced Steps
Craft a malicious DLL named `sprintcsp.dll` that executes malicious commands.
![image](https://github.com/user-attachments/assets/5f2fc1e8-29d1-4d94-982e-b7aa60f3c5d7)

Land the DLL on the target machine, the file gets quarantined.
![image](https://github.com/user-attachments/assets/3f9cd22f-914d-4643-b581-59029717ca2c)

Restore and trust the file in the EDR client.
![image](https://github.com/user-attachments/assets/539dd2e6-e284-4c99-a142-a84c2168f88c)

File is successfully written to `C:\Windows\System32`.
![image](https://github.com/user-attachments/assets/fe638b0c-1b0a-42b1-800a-0c12c11d2dcb)

Create `RpcClient.exe`, which leverage a DLL hijacking vulnerability in the StorSvc service to execute the malicious DLL `sprintcsp.dll`.
As a proof of concept, the DLL will create a service named `abc` and execute the binary at `C:\Users\Public\test.exe` as SYSTEM.
![image](https://github.com/user-attachments/assets/df7197b0-ed12-4aa2-b222-09183e59402f)
Reference: https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc

File Snapshot

 [4.0K]  /data/pocs/24c6d176ebb845e6d45e26cee3c6c1f5e9d65890
└── [1.5K]  README.md

0 directories, 1 file

Remarks