<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Vulnerability Analysis on Logic Security</title>
    <link>https://www.zoemurmure.top/categories/vulnerability-analysis/</link>
    <description>Recent content in Vulnerability Analysis on Logic Security</description>
    <generator>Hugo -- gohugo.io</generator>
    <language>en</language>
    <lastBuildDate>Mon, 21 Oct 2024 18:15:39 +0800</lastBuildDate><atom:link href="https://www.zoemurmure.top/categories/vulnerability-analysis/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>[CVE-2024-43560] Windows Storage Port Driver Privilege Escalation Vulnerability</title>
      <link>https://www.zoemurmure.top/posts/cve_2024_43560/</link>
      <pubDate>Mon, 21 Oct 2024 18:15:39 +0800</pubDate>
      
      <guid>https://www.zoemurmure.top/posts/cve_2024_43560/</guid>
      <description>1. Background Based on the vulnerability name (Microsoft Windows Storage Port Driver), we can search and identify the corresponding file as storport.sys. This driver is used for communication between the computer and high-performance storage devices, defining how the computer communicates with these devices.
2. Patch Diffing System Version: Win11 22H2 Pro
The diff shows that 6 functions were modified:
After comparing the function code before and after the patch, the differences mainly lie in the calls to Feature_ class functions.</description>
    </item>
    
    <item>
      <title>[Learning Notes] Windows Downdate: Vulnerability Discovery and Exploitation</title>
      <link>https://www.zoemurmure.top/posts/windows_downdate/</link>
      <pubDate>Tue, 27 Aug 2024 15:55:41 +0800</pubDate>
      
      <guid>https://www.zoemurmure.top/posts/windows_downdate/</guid>
      <description>Overview In this post, the author discovers vulnerabilities in Windows Update by examining its architecture and execution flow. Under Administrator privileges, an attacker can manipulate registry keys to control arbitrary system files, replacing them and bypassing system integrity checks. Due to the lack of downgrade file validation in the operating system, this capability can be leveraged to achieve further privilege escalation and security boundary bypasses.
Principles Windows Update Architecture Approach 1: In the architecture shown above, privilege escalation from Administrator to Trusted Installer is possible.</description>
    </item>
    
    <item>
      <title>[CVE-2023-21554] Windows Message Queuing Remote Code Execution Vulnerability Analysis</title>
      <link>https://www.zoemurmure.top/posts/cve_2023_21554/</link>
      <pubDate>Wed, 17 May 2023 17:14:55 +0800</pubDate>
      
      <guid>https://www.zoemurmure.top/posts/cve_2023_21554/</guid>
      <description>0. Preface This article introduces the CVE-2023-21554 vulnerability, which exists in Microsoft&amp;rsquo;s Message Queuing (MSMQ) service. Due to the service&amp;rsquo;s lack of proper validation of data packets, an attacker can exploit this vulnerability to achieve remote code execution.
As I was not familiar with the MSMQ service, I first spent a significant portion of this post introducing the service and its related data structures. Afterwards, I located the vulnerability by comparing patches.</description>
    </item>
    
    <item>
      <title>Exploring Exploitation Methodologies for CVE-2023-21768 AFD for WinSock Elevation of Privilege</title>
      <link>https://www.zoemurmure.top/posts/cve_2023_21768/</link>
      <pubDate>Fri, 21 Apr 2023 09:52:44 +0800</pubDate>
      
      <guid>https://www.zoemurmure.top/posts/cve_2023_21768/</guid>
      <description>1. Preface This article analyzes the CVE-2023-21768 vulnerability, which resides in the AFD (Ancillary Function Driver) driver of the Windows operating system. Throughout this post, &amp;ldquo;the original article&amp;rdquo; refers to reference [1]. By studying that article, I reproduced and rewrote the exploit code while analyzing my own shortcomings relative to the steps taken by others when developing exploits.
This write-up covers three main sections: basic vulnerability analysis, vulnerability trigger attempts (PoC), and exploit implementation, along with a brief introduction to the I/O Ring concepts involved in the exploitation process.</description>
    </item>
    
    <item>
      <title>Win32k Type Confusion Vulnerability Analysis Guide</title>
      <link>https://www.zoemurmure.top/posts/win32k_1732_21881/</link>
      <pubDate>Tue, 07 Feb 2023 14:25:08 +0800</pubDate>
      
      <guid>https://www.zoemurmure.top/posts/win32k_1732_21881/</guid>
      <description>0. Preface As we all know, win32k has contributed significantly to Windows privilege escalation vulnerabilities in recent years. I have always wanted to understand the principles of these vulnerabilities and read many related papers for this purpose. However, as a novice in kernel vulnerability research, the write-ups on win32k vulnerabilities written by experts still looked like gibberish to me.
Of course, I know what UAF (Use-After-Free) and type confusion are, and I also know that many win32k vulnerabilities are caused by callback functions.</description>
    </item>
    
    <item>
      <title>[CVE-2023-21752] Windows Backup Service Local Privilege Escalation Vulnerability Analysis</title>
      <link>https://www.zoemurmure.top/posts/cve_2023_21752_1/</link>
      <pubDate>Tue, 17 Jan 2023 19:06:30 +0800</pubDate>
      
      <guid>https://www.zoemurmure.top/posts/cve_2023_21752_1/</guid>
      <description>0. Preface CVE-2023-21752 is the first Microsoft vulnerability of 2023 to have a public exploit. Initially, I thought it would be straightforward to analyze given the availability of exploit code. However, it ended up taking a significant amount of time. The primary challenges lay in two areas: locating the vulnerability and analyzing the exploit code. Therefore, this article dedicates substantial coverage to these two parts. Feedback and corrections are welcome.</description>
    </item>
    
  </channel>
</rss>
