Code Monkey home page Code Monkey logo

qq-tim-elevation's Introduction

Tencent QQ/TIM Local Privilege Elevation

Affected Products:

  • QQ 9.7.1.28940 ~ 9.7.8.29039
  • TIM 3.4.5.22071 ~ 3.4.7.22084

Affected Components:

  • QQProtect.exe 4.5.0.9424 (in TIM 3.4.5.22071)
  • QQProtect.exe 4.5.0.9426 (in QQ 9.7.1.28940)
  • QQProtectEngine.dll 4.5.0.9424 (in TIM 3.4.5.22071)
  • QQProtectEngine.dll 4.5.0.9426 (in QQ 9.7.1.28940)

1. Summary

Tencent QQ and TIM are two instant messaging softwares developped by Shenzhen Tencent Computer System Co., Ltd. They both have a component QQProtect.exe locating in %ProgramFiles(x86)%\Common Files\Tencent\QQProtect\bin. QQProtect.exe is installed as a Windows service named QPCore and runs as NT Authority\SYSTEM automatically when system starts up. Both the component QQProtect.exe and its dependent DLL QQProtectEngine.dll have an arbitrary address write vulnerability. An attacker with low privilege can load evil DLL inside QQProtect.exe process by combining the two vulnerability and gets NT Authority\SYSTEM shell.

2. Vulnerability

The first vulnerability is the code at QQProtect.exe+0x40c9f8:

where a2 is a pointer that can be controlled by an attacker and dword_41a740 is a global variable whose value is 0x00000001. So an attacker can write the value DWORD(1) at any address.

The second vulnerability is the code at QQProtectEngine.dll+0x3B4F6:

where v3 is a pointer that can be controlled by an attacker. So an attacker can write the value std::bit_cast<DWORD>(ptr) + 4 at any given address ptr.

An attacker can tamper with a function pointer resides in QQProtect.exe and use ROP chains to execute arbitray code easily due to the fact that QQProtect.exe does not have ASLR protection.

3. Proof of concepts

The poc code is written in Rust language. You should use i686-pc-windows-msvc toolchain to compile it.

$ cd poc
$ cargo +stable-i686-pc-windows-msvc build --release --config "build.rustflags = [\"-C\", \"target-feature=+crt-static\"]"

You will get two DLLs:

target\release\tinyxml.dll
target\release\evil.dll

Then put the two Dlls above and %ProgramFiles(x86)%\Common Files\Tencent\QQProtect\bin\QQProtect.exe togather in a folder.

Finally get NT Authority\SYSTEM shell with one command:

$ QQProtect.exe <PATH TO evil.dll>

4. Demonstration

demonstration.gif

qq-tim-elevation's People

Contributors

vi3t1 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.