关联漏洞
标题:Microsoft Windows 后置链接漏洞 (CVE-2025-60710)Description:Microsoft Windows是美国微软(Microsoft)公司的一套个人设备使用的操作系统。 Microsoft Windows Host Process for Windows Tasks存在后置链接漏洞。攻击者利用该漏洞可以提升权限。以下产品和版本受到影响:Windows 11 Version 25H2 for ARM64-based Systems,Windows 11 Version 25H2 for x64-based Systems。
介绍
# CVE-2025-60710
This is PoC for local privilege escalation vulnerability in `\Microsoft\Windows\WindowsAI\Recall\PolicyConfiguration` scheduled task.
When this scheduled task is started the taskhostw.exe process whill try to open the `C:\Users\%username%\AppData\Local\CoreAIPlatform.00\UKP` directory and search for directories using the following filter: `{????????-????-????-????-????????????}`. If that directory is found it will be deleted without checking for symbolic links.
As low privilege user by default can create directories in their own %LOCALAPPDATA% folder this leads to arbitrary folder delete in context of `NT AUTHORITY\SYSTEM` user.
The scheduled task is configured with multiple triggers that can be used to start the scheduled task.
```
<Triggers>
<WnfStateChangeTrigger id="RecallPolicyCheckUpdateTrigger">
<Enabled>true</Enabled>
<StateName>7508BCA32C079E41</StateName>
</WnfStateChangeTrigger>
<WnfStateChangeTrigger id="AADStatusChangeTrigger">
<Enabled>true</Enabled>
<StateName>7508BCA32C0F8241</StateName>
</WnfStateChangeTrigger>
<WnfStateChangeTrigger id="DisableAIDataAnalysisTrigger">
<Enabled>true</Enabled>
<StateName>7528BCA32C079E41</StateName>
</WnfStateChangeTrigger>
<WnfStateChangeTrigger id="UserLoginTrigger">
<Enabled>true</Enabled>
<StateName>7510BCA338038113</StateName>
</WnfStateChangeTrigger>
<SessionStateChangeTrigger id="SessionUnlockTrigger">
<Enabled>true</Enabled>
<StateChange>SessionUnlock</StateChange>
</SessionStateChangeTrigger>
</Triggers>
```
This PoC utilise the WnfStateChangeTrigger `RecallPolicyCheckUpdateTrigger` to start the scheduled task.
## PoC
<img width="1897" height="952" alt="image" src="https://github.com/user-attachments/assets/a4a9c9d6-80b3-4dad-ae41-71e328c7ebcb" />
文件快照
[4.0K] /data/pocs/a8507a6bc23e61de7ffb78e01bdc6017fe95b9ea
├── [4.0K] CVE-2025-60710
│ ├── [558K] 5eeabb3.rbs
│ ├── [1.4K] CVE-2025-60710.sln
│ ├── [6.6K] CVE-2025-60710.vcxproj
│ ├── [1.6K] CVE-2025-60710.vcxproj.filters
│ ├── [ 168] CVE-2025-60710.vcxproj.user
│ ├── [4.6K] def.h
│ ├── [4.4K] FileOplock.cpp
│ ├── [1.0K] FileOplock.h
│ ├── [ 16K] FileOrFolderDelete.cpp
│ ├── [ 10K] main.cpp
│ ├── [184K] Msi_EoP.msi
│ ├── [ 300] resource.h
│ └── [2.1K] resource.rc
└── [1.8K] README.md
2 directories, 14 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。