After extracting the data from the cloud control configuration (JSON data), the data is stored in the smart_task_config and smart_task_supports keys in the registry SOFTWARE\SogouInput.store.user\search_suggestion item. Among them, the former is the extracted configuration, and the latter is the encrypted allowed_p field, which represents the allowed processes. That is, the process executing the task must match the value of the allowed_p field.
Setting Shiply SDK parameters: In the SGBizLauncher.exe program, the configuration will be retrieved via the Shiply SDK. Before this, parameters such as APPID, APPKEY, BundleID, and the application version need to be set. After testing, it was found that APPID and APPKEY are key parameters, which will determine the configuration retrieved.
Configuration retrieval source: Sogou Input Method will use the SGBizLauncher.exe program with the additional parameter -lappid=configupdate to retrieve the cloud control configuration. The SGBizLauncher.exe program will be executed by the input method component SogouPY.ime, with an execution interval of once every six hours. This input method component is a DLL file that will be loaded when the user switches to Sogou Input Method.
TFunction4 sets a call to YAddPrinterDriverEx, as shown in Figure 5. The offset of v7 at 128 is YAddPrinterDriverEx; in the figure, the asynchronous callback calls the function pointer at offset a1 128, that is, it calls YAddPrinterDriverEx.
The PrintNightmare vulnerability can be understood as a bypass of the CVE-2021-1675 patch. This article takes the exploit provided in Mimikatz[3] as an example to analyze the vulnerability.
The PrintNightmare vulnerability exploited in Mimikatz uses another print service API: RpcAsyncAddPrinterDriver to bypass the permission check in the aforementioned patch. As shown in Figure 2, this API can also set a flag to increase APD_INSTALL_WARNED_DRIVER. Since this function does not add a verification process, it can perfectly bypass the subsequent bittest check and achieve malicious DLL loading and code execution.
黑客网络攻防联系;@comeblackgirl
The PrintNightmare vulnerability exploited in Mimikatz uses another print service API: RpcAsyncAddPrinterDriver to bypass the permission check in the aforementioned patch. As shown in Figure 2, this API can also set a flag to increase APD_INSTALL_WARNED_DRIVER. Since this function does not add a verification process, it can perfectly bypass the subsequent bittest check and achieve malicious DLL loading and code execution.
黑客网络攻防联系;@comeblackgirl
Specifically, a permission check has been added to AddPrinterDriverEx. The key points are the three functions YIsElevated, YIsElevationRequered, and RunningAsLUA. When v12 == 0, v13 == 1, and v9 == 1, the 0x8000 in flag will be removed by the & operation, resulting in a failed permission verification when calling SplAddPrinterDriverEx later, which prevents the vulnerability from occurring.
Visit the address. To enhance the user experience, I added <?php phpinfo(); ?> to the uploaded images. It's obvious that the image type we uploaded has become the one we want. The code was also executed successfully. Finally, I searched online for others' code audits http://cn-sec.com/archives/311436.html and found that their directories were different from mine, which was a pleasant surprise.
Website hacking, penetration testing, hijacking, data extraction, SDK, DPI, MD5
Hacker services/hacking business/exam score modification/order modification/reverse engineering/cheat software/penetration
Website hacking, penetration testing, hijacking, data extraction, SDK, DPI, MD5
Hacker services/hacking business/exam score modification/order modification/reverse engineering/cheat software/penetration
The vulnerability occurs in the AddPrinterDriverEx function, which has three parameters. The third parameter is a flag with a special value that is not mentioned in the official documentation: APD_INSTALL_WARNED_DRIVER = 0x00008000. According to the code logic in Figure 1, before calling InternalAddPrinterDriverEx, the 0xf bit of the flag is checked by bittest. If the value is 1, the value of v12 will still be 0, allowing you to bypass the Access check in line 24 and successfully call InternalAddPrinterDriverEx.
The file upload mainly focuses on filtering. The up_img() function is used to process the submitted content, and the array records the type to be verified. Therefore, we need to understand the up_img() function in detail next.
Locate the up_img() function and analyze this code. The key point is to verify the value of type. After obtaining the information of the uploaded file with the pathinfo() function, it is assigned to pic_name. file_type obtains the type value in the uploaded file and the value after Content-Type in the data package. The strtolower() function converts all characters in file_type to lowercase and compares them with the type values in the array. The in_array() function searches whether there is a value equal to file_type in the array. If it exists, the file is uploaded. Since only the Content-Type value is verified, it can be determined that there is a vulnerability here.
Locate the up_img() function and analyze this code. The key point is to verify the value of type. After obtaining the information of the uploaded file with the pathinfo() function, it is assigned to pic_name. file_type obtains the type value in the uploaded file and the value after Content-Type in the data package. The strtolower() function converts all characters in file_type to lowercase and compares them with the type values in the array. The in_array() function searches whether there is a value equal to file_type in the array. If it exists, the file is uploaded. Since only the Content-Type value is verified, it can be determined that there is a vulnerability here.
As can be seen from the allocation, release, and caching process of the UAF object, if the relevant function is called to release the RenderWidgetHostViewAura object when there are still redraw tasks in the queue, the cached RenderWidgetHostViewAura pointer will be dereferenced when the Refresh function is called next time. However, the object has already been released, so a UAF will be triggered.
To avoid caching the RenderWidgetHostView when creating the CurrentTabDesktopMediaList, the object can be obtained through content::RenderFrameHost::FromID and content::RenderWidgetHostView when it is needed. When the view object is released, an empty pointer is returned, thus avoiding a UAF. The code is as follows:
To avoid caching the RenderWidgetHostView when creating the CurrentTabDesktopMediaList, the object can be obtained through content::RenderFrameHost::FromID and content::RenderWidgetHostView when it is needed. When the view object is released, an empty pointer is returned, thus avoiding a UAF. The code is as follows:
After the MediaList is created in the ProcessQueuedAccessRequest function, the show function is called to display the authorization pop-up window, as shown below:
In the StartUpdating function, the refresh_callback_ member variable is bound to the DesktopMediaListBase::ScheduleNextRefresh function, and then the refresh function is called, which is as follows:
In the Refresh function, the reply is bound to the OncaptureHandled function and then passed as a parameter to the CopyFromSurface function. Therefore, the OnCaptureHandled function will call the OnRefreshComplete function to return the result. In the OnRefreshComplete function, the OnRefreshComplete function will call the OnRefreshComplete function, and finally the refresh_callback_ will call the DesktopMediaListBase::ScheduleNextRefresh function, as shown below:
In the ScheduleNextRefresh function, the refresh_callback_ member variable is bound to itself again, and then a delayed task is released to call the Refresh function, forming a loop that constantly refreshes the window:
In the StartUpdating function, the refresh_callback_ member variable is bound to the DesktopMediaListBase::ScheduleNextRefresh function, and then the refresh function is called, which is as follows:
In the Refresh function, the reply is bound to the OncaptureHandled function and then passed as a parameter to the CopyFromSurface function. Therefore, the OnCaptureHandled function will call the OnRefreshComplete function to return the result. In the OnRefreshComplete function, the OnRefreshComplete function will call the OnRefreshComplete function, and finally the refresh_callback_ will call the DesktopMediaListBase::ScheduleNextRefresh function, as shown below:
In the ScheduleNextRefresh function, the refresh_callback_ member variable is bound to itself again, and then a delayed task is released to call the Refresh function, forming a loop that constantly refreshes the window:
After the POC calls the windows.close() function, the tab is closed, and a series of objects are released, including the previously allocated RenderFrameHostManager object. The message to close the window, after being distributed by the relevant Mojo components, calls the content::WebContentsImpl::Close function, as shown below:
CloseWebContents attempts to call fast shutdown to close the relevant tabs:
Through the above call chain, the window_ object is deleted.
CloseWebContents attempts to call fast shutdown to close the relevant tabs:
Through the above call chain, the window_ object is deleted.