Windows Update Service 权限提升漏洞
漏洞信息
漏洞名称: Windows Update Service 权限提升漏洞
漏洞编号:
- CVE: CVE-2025-48799
漏洞类型: 权限提升
漏洞等级: 高危
漏洞描述: ### 受影响产品
Windows Update服务是微软Windows操作系统中的一个核心组件,负责系统的自动更新和补丁管理。它广泛应用于个人和企业环境中,是确保系统安全的重要服务。此次漏洞影响的版本包括Windows 10和Windows 11,特别是那些配备至少两块硬盘的系统。
漏洞说明
该漏洞属于权限提升类型,具体存在于Windows Update服务(wuauserv)中。当系统配置有多块硬盘,并且用户通过存储感知功能将新内容的保存位置重定向到第二块硬盘时,安装新应用程序的过程中会出现问题。服务在处理路径时未能充分检查符号链接,导致可以执行任意文件夹删除操作。这一缺陷可能被利用来提升本地权限,从而允许攻击者在系统上执行未授权的操作。
影响分析
此漏洞的安全风险较高,因为它允许攻击者在不需要用户交互的情况下,通过本地访问权限提升至系统级别权限。这意味着攻击者可以删除关键系统文件,安装恶意软件,或者访问敏感数据。由于Windows Update服务在默认情况下以高权限运行,利用此漏洞可能导致整个系统被控制。此外,该漏洞的利用不需要复杂的用户交互,增加了其被自动化工具利用的可能性。因此,对于运行受影响Windows版本的用户和组织来说,及时应用官方补丁是至关重要的。
产品厂商: Microsoft
产品名称: Windows Update Service
影响版本: Windows 10, Windows 11
来源: https://github.com/KOVmechatronics/CVE-2025-48799
类型: CVE-2025:github search
仓库文件
- README.md
- WinUpdateEoP
来源概述
CVE-2025-48799: Elevation of Privilege in Windows Update Service
Description
This repository contains a Proof of Concept (PoC) for CVE-2025-48799, an elevation of privilege vulnerability found in the Windows Update service. This vulnerability impacts Windows clients, specifically Windows 10 and Windows 11, that have at least two hard drives.
When a machine is equipped with multiple hard drives, users can modify the location where new content is saved through the Storage Sense feature. If the location for new applications is redirected to a secondary drive, a critical issue arises during the installation of new applications. The wuauserv service, which is responsible for Windows Update operations, may perform arbitrary folder deletions without adequately checking for symbolic links. If a file is encountered, the service will check the final path using the GetFinalPathByHandle function. This oversight can lead to local privilege escalation (LPE).
This PoC utilizes methods and code described in the ZDI blog post.
Proof of Concept
To explore the PoC, you can download and execute the relevant files from the Releases section. This section contains the necessary files to demonstrate the vulnerability.
How It Works
Vulnerability Overview: The
wuauservservice does not properly validate paths when dealing with multiple hard drives. This can lead to unintended deletions of important files or directories.Triggering the Vulnerability: By changing the installation location of applications to a secondary drive, you can initiate the conditions that lead to arbitrary deletions.
Exploiting the Vulnerability: The PoC shows how to exploit this behavior, allowing an attacker to gain elevated privileges on the system.
Requirements
- Windows 10 or Windows 11
- At least two hard drives
- Administrative privileges to run the PoC
Usage
To use the PoC:
- Download the necessary files from the Releases section.
- Follow the instructions in the provided documentation to set up the environment.
- Execute the PoC to demonstrate the vulnerability.
Example Code Snippet
Here’s a simplified example of how the vulnerability can be triggered:
1 | |
Important Notes
- This PoC is intended for educational purposes only. Misuse of this information can lead to legal consequences.
- Always test in a controlled environment.
Additional Resources
For further reading on this vulnerability and related topics, consider checking the following resources:
Reporting Issues
If you encounter any issues or have questions regarding the PoC, please open an issue in this repository. Your feedback is valuable and helps improve the project.
License
This project is licensed under the MIT License. See the LICENSE file for details.
Acknowledgments
- Special thanks to the Zero Day Initiative for their research and documentation on this vulnerability.
- Thanks to the open-source community for their contributions and support.
For more updates, visit the Releases section for the latest files and improvements.