Windows Remote System Forced Shutdown Privilege Check

漏洞信息

漏洞名称: Windows Remote System Forced Shutdown Privilege Check

漏洞类型: 权限绕过

漏洞等级: 中危

漏洞描述: 受影响的产品是微软的Windows操作系统,这是一个广泛使用的操作系统,部署在全球的个人电脑和企业服务器上。此漏洞涉及Windows系统中的“从远程系统强制关机”策略(SeRemoteShutdownPrivilege)的权限分配问题。该策略默认应仅分配给管理员组(SID: S-1-5-32-544),但如果错误地分配给未经授权的账户或组,可能会导致安全风险。漏洞的根本原因在于权限配置不当,允许非管理员账户或组获得远程关闭系统的权限。这种权限绕过漏洞可以被攻击者利用,进行未授权的远程关机操作,从而导致服务中断或拒绝服务条件。攻击者无需认证即可利用此漏洞,且可以自动化执行,因此对系统安全构成中等风险。

产品厂商: Microsoft

产品名称: Windows

来源: https://github.com/projectdiscovery/nuclei-templates/blob/b740ee6791c0a6d36cac233d23a096ba91d2f060/code%2Fwindows%2Faudit%2Fkisa%2Fremote-system-shutdown.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

id: remote-system-shutdown

info:
  name: Remote System Forced Shutdown Privilege Check
  author: nukunga[SungHyunJeon]
  severity: medium
  description: |
    Ensure the "Force shutdown from a remote system" policy (SeRemoteShutdownPrivilege) is assigned only to the Administrators group (SID: S-1-5-32-544). Granting this privilege to unauthorized accounts can allow attackers to remotely shut down the system, posing a significant risk.
  impact: |
    Granting this privilege to accounts or groups other than Administrators can be exploited to carry out unauthorized remote shutdowns, resulting in service disruptions or denial-of-service conditions.
  remediation: |
    Configure the policy to grant the SeRemoteShutdownPrivilege exclusively to the Administrators group by setting its value to S-1-5-32-544 only.
  reference:
    - https://isms.kisa.or.kr/main/csap/notice/?boardId=bbs_0000000000000004&mode=view&cntId=85
  tags: policy,code,windows-audit,kisa

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      # Export the current security settings to a configuration file.
      $cfgPath = "C:\cfg.txt"
      secedit /export /cfg $cfgPath | Out-Null
      # Read the exported configuration file.
      $cfg = Get-Content $cfgPath | Out-String
      # Extract the SeRemoteShutdownPrivilege value.
      if ($cfg -match "SeRemoteShutdownPrivilege\s*=\s*(.*)") {
          $privs = $Matches[1].Trim()
          # Check if only the Administrators SID (S-1-5-32-544) is present.
          if ($privs -eq "S-1-5-32-544") {
              "REMOTE_SHUTDOWN_PRIVILEGE_COMPLIANT"
          } else {
              "REMOTE_SHUTDOWN_PRIVILEGE_VULNERABLE"
          }
      } else {
          "REMOTE_SHUTDOWN_PRIVILEGE_NOT_FOUND"
      }

    matchers:
      - type: word
        words:
          - "REMOTE_SHUTDOWN_PRIVILEGE_VULNERABLE"

Github Poc
#projectdiscovery/nuclei-templates:github issues #权限绕过
Windows Remote System Forced Shutdown Privilege Check
http://example.com/2025/07/10/github_3759353471/
作者
lianccc
发布于
2025年7月10日
许可协议