Windows Hard Disk Default Share Vulnerability

漏洞信息

漏洞名称： Windows Hard Disk Default Share Vulnerability

漏洞类型： 未授权访问

漏洞等级： 中危

漏洞描述： 该漏洞涉及Windows操作系统中的默认管理共享（如C$、D$、Admin$）未正确禁用的问题。默认情况下，Windows系统会创建这些共享以便于网络管理和文件共享，但如果未适当配置，可能导致系统资源暴露给未授权访问。漏洞的技术根源在于AutoShareServer注册表值被设置为1，或者默认管理共享未被移除，从而允许攻击者利用这些共享进行未授权访问。这种漏洞的影响范围广泛，因为几乎所有版本的Windows系统都可能受到影响。攻击者可以利用此漏洞访问敏感系统文件，可能导致数据泄露、服务中断或其他安全风险。值得注意的是，利用此漏洞通常不需要认证，且可以自动化执行，因此风险较高。为了缓解此风险，建议将AutoShareServer注册表值设置为0，并移除所有非必要的默认共享。

产品厂商： Microsoft

产品名称： Windows

来源： https://github.com/projectdiscovery/nuclei-templates/blob/b740ee6791c0a6d36cac233d23a096ba91d2f060/code%2Fwindows%2Faudit%2Fkisa%2Fhard-disk-default-share.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: hard-disk-default-share

info:
  name: Hard Disk Default Share Removal Check
  author: nukunga[SungHyunJeon]
  severity: medium
  description: |
    Ensure default administrative shares (e.g., C$, D$, Admin$) are disabled by verifying that the AutoShareServer registry value is set to 0.
    Leaving these shares enabled can expose system resources to unauthorized access.
  impact: |
   If the AutoShareServer registry value is set to 1 or default administrative shares (excluding IPC$) are present, attackers may exploit them to gain unauthorized access to system resources.
  remediation: |
    Permanently disable default administrative shares by setting the AutoShareServer registry value to 0 at:
    - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
    - Additionally, remove any non-essential default shares using the appropriate system management tools.
  reference:
    - https://isms.kisa.or.kr/main/csap/notice/?boardId=bbs_0000000000000004&mode=view&cntId=85
  tags: ftp,iis,code,windows-audit,kisa,share-permissions

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      $vulnerable = $false
      # Check the AutoShareServer registry value
      $regPath = 'HKLM:\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters'
      $autoShare = (Get-ItemProperty -Path $regPath -Name AutoShareServer -ErrorAction SilentlyContinue).AutoShareServer
      if ($autoShare -eq 1) {
          $vulnerable = $true
      }
      # Retrieve list of shared folders using 'net share'
      $netShares = net share | Out-String
      $lines = $netShares -split "`n"
      $shareNames = @()
      $startParsing = $false
      foreach ($line in $lines) {
          if ($line -match "^-+") {
              $startParsing = $true
              continue
          }
          if ($startParsing -and $line.Trim() -ne "" -and $line -notmatch "The command completed successfully") {
              $tokens = $line.Trim() -split "\s+"
              if ($tokens.Count -gt 0) {
                  $shareNames += $tokens[0]
              }
          }
      }
      # Define default shares to check (excluding IPC$)
      $defaultShares = @("C$", "D$", "Admin$")
      foreach ($share in $shareNames) {
          if ($defaultShares -contains $share) {
              $vulnerable = $true
              break
          }
      }
      if ($vulnerable) {
          "DEFAULT_SHARE_VULNERABLE"
      } else {
          "DEFAULT_SHARE_COMPLIANT"
      }

    matchers:
      - type: word
        words:
          - "DEFAULT_SHARE_VULNERABLE"