Skip to content

jiceylc/qq-tim-elevation

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Tencent QQ/TIM Local Privilege Elevation

Affected Products:

  • QQ 9.7.1.28940 ~ 9.7.8.29039
  • TIM 3.4.5.22071 ~ 3.4.7.22084

Affected Components:

  • QQProtect.exe 4.5.0.9424 (in TIM 3.4.5.22071)
  • QQProtect.exe 4.5.0.9426 (in QQ 9.7.1.28940)
  • QQProtectEngine.dll 4.5.0.9424 (in TIM 3.4.5.22071)
  • QQProtectEngine.dll 4.5.0.9426 (in QQ 9.7.1.28940)

1. Summary

Tencent QQ and TIM are two instant messaging softwares developped by Shenzhen Tencent Computer System Co., Ltd. They both have a component QQProtect.exe locating in %ProgramFiles(x86)%\Common Files\Tencent\QQProtect\bin. QQProtect.exe is installed as a Windows service named QPCore and runs as NT Authority\SYSTEM automatically when system starts up. Both the component QQProtect.exe and its dependent DLL QQProtectEngine.dll have an arbitrary address write vulnerability. An attacker with low privilege can load evil DLL inside QQProtect.exe process by combining the two vulnerability and gets NT Authority\SYSTEM shell.

2. Vulnerability

The first vulnerability is the code at QQProtect.exe+0x40c9f8:

where a2 is a pointer that can be controlled by an attacker and dword_41a740 is a global variable whose value is 0x00000001. So an attacker can write the value DWORD(1) at any address.

The second vulnerability is the code at QQProtectEngine.dll+0x3B4F6:

where v3 is a pointer that can be controlled by an attacker. So an attacker can write the value std::bit_cast<DWORD>(ptr) + 4 at any given address ptr.

An attacker can tamper with a function pointer resides in QQProtect.exe and use ROP chains to execute arbitray code easily due to the fact that QQProtect.exe does not have ASLR protection.

3. Proof of concepts

The poc code is written in Rust language. You should use i686-pc-windows-msvc toolchain to compile it.

$ cd poc
$ cargo +stable-i686-pc-windows-msvc build --release --config "build.rustflags = [\"-C\", \"target-feature=+crt-static\"]"

You will get two DLLs:

target\release\tinyxml.dll
target\release\evil.dll

Then put the two Dlls above and %ProgramFiles(x86)%\Common Files\Tencent\QQProtect\bin\QQProtect.exe togather in a folder.

Finally get NT Authority\SYSTEM shell with one command:

$ QQProtect.exe <PATH TO evil.dll>

4. Demonstration

demonstration.gif

About

CVE-2023-34312

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Rust 100.0%