mein-0/cve-2026-29923

# CVE-2026-29923 — pstrip64.sys Local Privilege Escalation A minimal proof-of-concept for CVE-2026-29923, a vulnerability in the `pstrip64.sys` kernel driver (EnTech Taiwan PowerStrip ≤ 3.90.736) that allows an unprivileged user-mode process to escalate to `NT AUTHORITY\SYSTEM`. ## The Bug `pstrip64.sys` exposes an IOCTL (`0x80002008`) that accepts a user-supplied physical address and maps it directly into the calling process's virtual address space by opening `\Device\PhysicalMemory` and calling `ZwMapViewOfSection` with the current process handle. There is no privilege check, no address validation beyond what `HalTranslateBusAddress` enforces, and no access control on the symbolic link `\\.\PSTRIP64`. The result is an unrestricted physical memory read/write primitive from an unprivileged process. ## Exploitation With arbitrary physical read/write available, the exploit follows four steps. **1. Scan for EPROCESS structures** Physical RAM is walked in 2 MB chunks. Each chunk is scanned for the kernel pool tag `Proc` (`0x636F7250`), which marks the pool allocation that contains a process's `_EPROCESS` structure. Candidate hits are validated with three lightweight heuristics before the PID is trusted: - `PriorityClass == 0x2` — all live processes run at Normal priority - `ProcessLock == 0x0` — the lock field is clear on a stable process - `ImageFileName[0]` is printable ASCII — garbage memory rarely satisfies this **2. Locate both token pointers** Two targets are needed: - The **physical address** of our own process's `Token` field inside `_EPROCESS` - The **token value** stored in the System process (`PID 4`) `_EPROCESS` **3. Overwrite our token** The 4 KB page containing our `Token` field is mapped and the field is overwritten with the System token value. From this point the Windows kernel treats our process as `NT AUTHORITY\SYSTEM`. **4. Spawn a shell** `cmd.exe` is launched via `CreateProcessA`. Because child processes inherit the parent's token, the resulting shell runs as SYSTEM. ## MMIO Caveat The 3 GB – 4 GB physical address window is reserved for MMIO on x86 systems. Attempting to map pages in this range causes the driver to return error `74` (`HalTranslateBusAddress` failure). The scan skips this window and resumes at `0x100000000` to catch kernel structures that Windows places above the 4 GB mark. ## 32-bit Requirement The driver's map handler writes the returned virtual address into a `DWORD` field (`LowPart`), truncating the 64-bit VA to 32 bits. A 64-bit build receives a corrupted pointer and crashes immediately. **Compile as x86.** ## Affected Software | Software | Versions | |---|---| | EnTech Taiwan PowerStrip | ≤ 3.90.736 | Driver hash (SHA-256): ab01485bb7c8bc1a9c86096eeea6d31d8fad557bf4d44072b46373d2203faa6e ## EPROCESS Offsets The hardcoded offsets target **Windows 10 22H2 x64**. Other builds require updated values — use `dt nt!_EPROCESS` in WinDbg to confirm. | Field | Offset | |---|---| | `PriorityClass` | `0x5B7` | | `ProcessLock` | `0x438` | | `UniqueProcessId` | `0x440` | | `ImageFileName` | `0x5A8` | | `Token` | `0x4B8` | ## Building Open a Visual Studio x86 Developer Command Prompt and run: cl /EHsc /O2 exploit.c /Fe:poc.exe Or set the platform target to **x86** in Visual Studio and build in Release mode. The binary requires no external dependencies beyond the Windows SDK. ## Usage Load `pstrip64.sys` first (requires administrator to load the driver, not to run the exploit itself once loaded), then: poc.exe A new `cmd.exe` window will open running as `NT AUTHORITY\SYSTEM`. ## Mitigation **Block the driver from loading (preferred)** - Add the driver hash above to your organization's blocklist - Enable [Microsoft's Vulnerable Driver Blocklist](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules) via WDAC - Enable Hypervisor-Protected Code Integrity (HVCI) **Detect exploitation in progress** - Alert on new kernel-mode service installations for unknown driver binaries - Monitor for low/medium integrity processes spawning `SYSTEM`-level children - Flag any process whose token changes to `NT AUTHORITY\SYSTEM` outside of a legitimate authentication event ## Disclaimer This code is published for educational and defensive research purposes only. Use it only on systems you own or have explicit written permission to test. The author is not responsible for any misuse. ## References - [Microsoft Vulnerable Driver Blocklist](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules) - [WDAC Overview](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/appcontrol) - [Windows EPROCESS Internals](https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/ntos/ps/eprocess/index.htm) - [HalTranslateBusAddress — MSDN](https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-haltranslatebusaddress) - [ZwMapViewOfSection — MSDN](https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwmapviewofsection)

标签：客户端加密