关联漏洞
标题:Microsoft Hyper-V 安全漏洞 (CVE-2023-36407)Description:Microsoft Hyper-V是美国微软(Microsoft)公司的一个应用程序。一种系统管理程序虚拟化技术,能够实现桌面虚拟化。 Microsoft Hyper-V存在安全漏洞。攻击者利用该漏洞可以提升权限。以下产品和版本受到影响:Windows Server 2022,Windows Server 2022 (Server Core installation),Windows 11 version 21H2 for x64-based Systems,Windows 11 version 21H2
介绍
# CVE-2023-36407
This is poc for CVE-2023-36407, Hyper-V Elevation of Privilege Vulnerability.
https://github.com/pwndorei/CVE-2023-36407/assets/96749184/a8ef87d3-e0d0-40e5-9b23-35ab057a9c78
## Vulnerability
- OOB Read/Write from/to Non-paged Pool via `winhvr.sys!WinHvGet/SetVpState`
# Reproduction Steps
- Environment I used: Windows 11 22H2 x64
- Patch: kb5031354
- control code for `WinHvSetVpState`: 0x221268
- if poc does not work, analyze `Vid.sys` to find out control code for `WinHvSetVpState` and change it
## Build
Just build the project(Release/x64), then `CVE-2023-36407.exe` will be generated.
## Reproduction
1. run `CVE-2023-36407.exe` in vulnerable Hyper-V Host(Root Partition)
2. **Boom**
### How it works?
1. `CVE-2023-36407.exe` calls `DeviceIoControl` that invokes `winhvr.sys!WinHvSetVpState`
2. In `WinHvSetVpState`, `memcpy` copies data from input buffer(user-controlled) to Non-paged Pool memory
- length of data to copy depends on input data's length
3. The Non-paged Pool Memory is 0x1000 bytes size and there is no size check for input before calling `memcpy`
- BOF in Non-paged Pool
4. BSOD occurs because of the corruption
文件快照
[4.0K] /data/pocs/5d1cd8e8f3c3665d41363f6fe6ca60bb00ea9d3e
├── [1.4K] CVE-2023-36407.sln
├── [6.5K] CVE-2023-36407.vcxproj
├── [ 959] CVE-2023-36407.vcxproj.filters
├── [ 892] main.c
└── [1.1K] README.md
0 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。