Affected Products:
- QQ 9.7.1.28940 ~ 9.7.8.29039
- TIM 3.4.5.22071 ~ 3.4.7.22084
Affected Components:
- QQProtect.exe 4.5.0.9424 (in TIM 3.4.5.22071)
- QQProtect.exe 4.5.0.9426 (in QQ 9.7.1.28940)
- QQProtectEngine.dll 4.5.0.9424 (in TIM 3.4.5.22071)
- QQProtectEngine.dll 4.5.0.9426 (in QQ 9.7.1.28940)
Tencent QQ and TIM are two instant messaging softwares developped by Shenzhen Tencent Computer System Co., Ltd. They both have a component QQProtect.exe locating in %ProgramFiles(x86)%\Common Files\Tencent\QQProtect\bin
. QQProtect.exe is installed as a Windows service named QPCore and runs as NT Authority\SYSTEM
automatically when system starts up. Both the component QQProtect.exe and its dependent DLL QQProtectEngine.dll have an arbitrary address write vulnerability. An attacker with low privilege can load evil DLL inside QQProtect.exe process by combining the two vulnerability and gets NT Authority\SYSTEM
shell.
The first vulnerability is the code at QQProtect.exe+0x40c9f8:
where a2
is a pointer that can be controlled by an attacker and dword_41a740
is a global variable whose value is 0x00000001
. So an attacker can write the value DWORD(1)
at any address.
The second vulnerability is the code at QQProtectEngine.dll+0x3B4F6:
where v3
is a pointer that can be controlled by an attacker. So an attacker can write the value std::bit_cast<DWORD>(ptr) + 4
at any given address ptr
.
An attacker can tamper with a function pointer resides in QQProtect.exe
and use ROP chains to execute arbitray code easily due to the fact that QQProtect.exe
does not have ASLR protection.
The poc code is written in Rust language. You should use i686-pc-windows-msvc
toolchain to compile it.
$ cd poc
$ cargo +stable-i686-pc-windows-msvc build --release --config "build.rustflags = [\"-C\", \"target-feature=+crt-static\"]"
You will get two DLLs:
target\release\tinyxml.dll
target\release\evil.dll
Then put the two Dlls above and %ProgramFiles(x86)%\Common Files\Tencent\QQProtect\bin\QQProtect.exe
togather in a folder.
Finally get NT Authority\SYSTEM
shell with one command:
$ QQProtect.exe <PATH TO evil.dll>