mirchr/openssldir_check

GitHub: mirchr/openssldir_check

一个 Windows 安全实用工具,通过检查 OpenSSL 库中 OPENSSLDIR 构建参数的路径权限配置,发现可导致本地权限提升的不安全配置。

Stars: 8 | Forks: 8

# openssldir_check ![构建状态](https://static.pigsec.cn/wp-content/uploads/repos/cas/86/86f6f4af9065dcd4f3a1aa2d8eae2c42ac132d9bdee9f1fe4621b81e06b5a78f.svg) 一个使用 C++ 编写的 Windows 实用程序,用于检查 OpenSSL 库中 OPENSSLDIR 构建参数使用的潜在不安全路径。捆绑了 OpenSSL 库的应用程序可能将 OPENSSLDIR 设置为可由低权限用户账户写入的路径。根据应用程序编写方式的不同,它可能会在启动期间或其他特定条件下自动加载 OPENSSLDIR/openssl.cnf。 openssl.cnf 配置文件可被利用来加载恶意的 OpenSSL Engine 库,从而导致以运行该易受攻击应用程序的账户权限执行任意代码。有关我如何使用 Private Internet Access Desktop VPN 客户端获取 SYSTEM 权限的详细示例,请阅读 https://blog.mirch.io/2019/06/10/cve-2019-12572-pia-windows-privilege-escalation-malicious-openssl-engine/ 。有关其工作原理的信息,请参阅 https://wiki.openssl.org/index.php/Library_Initialization 。 在时间允许的情况下,将添加更多功能。以下是我可能会实现的功能。 * 检查 OPENSSLDIR 路径中列出的所有文件夹的权限 * 检查 OPENSSLDIR/openssl.cnf 的权限 * 检查 OpenSSL 1.1+ 的 OPENSSL_ENGINES_DIR 权限 * 创建在文件系统中搜索 OpenSSL 库的选项 * 日志记录 * XML/json 输出 * TODO:对发布的二进制文件进行代码签名(评估 Azure Trusted Signing 与来自云签名服务的 EV 证书) ## 下载 可以直接从最新的 GitHub Actions https://github.com/mirchr/openssldir_check/actions 构建中下载二进制文件。注意:这是临时的解决方案。长期来看,二进制文件将直接从 Github releases 提供。 ## 用法 ``` # OpenSSL v1.1+ openssldir_check_x64.exe .dll> # OpenSSL < v1.1 openssldir_check_x86.exe ``` ## 示例 TODO:添加示例用法的截图 ## 已知的 OPENSSLDIR 漏洞 | CVE | 应用程序 | 参考资料 | 贡献者 | |----------|----------|----------|----------| | [CVE‑2026‑34054](https://nvd.nist.gov/vuln/detail/CVE-2026-34054) | Microsoft vcpkg (OpenSSL Windows build) | [GHSA-p322-v6vw-vrq9](https://github.com/microsoft/vcpkg/security/advisories/GHSA-p322-v6vw-vrq9) | Xavier DANEST (via [Trend Micro ZDI](https://www.zerodayinitiative.com/)) | | [CVE‑2026‑6482](https://nvd.nist.gov/vuln/detail/CVE-2026-6482) | Rapid7 Insight Agent (Windows) | [Rapid7 发布说明](https://docs.rapid7.com/insight/release-notes-2026-april/) | Dell Security Assurance | | [CVE‑2026‑3991](https://nvd.nist.gov/vuln/detail/CVE-2026-3991) | Symantec/Broadcom DLP Agent | [InfoGuard Labs 公告](https://labs.infoguard.ch/advisories/cve-2026-3991_symantec-dlp-agent_local-privilege-escalation/) | [Manuel Feifel](https://labs.infoguard.ch/) (InfoGuard Labs) | | [CVE‑2025‑27237](https://nvd.nist.gov/vuln/detail/CVE-2025-27237)| Zabbix Agent | [Zabbix ZBX-27061](https://support.zabbix.com/browse/ZBX-27061) | himbeer | | [CVE‑2025‑53841](https://nvd.nist.gov/vuln/detail/CVE-2025-53841) | Akamai Guardicore Platform Agent | [Akamai 公告](https://www.akamai.com/blog/security/2025/dec/advisory-cve-2025-53841-guardicore-local-privilege-escalation) | [SECURITEAM / Beyond Security SSD](https://securiteam.io/2025/09/08/privilege-escalation-akamai-guardicore-platform-agent/) | | [CVE‑2025‑47161](https://nvd.nist.gov/vuln/detail/CVE-2025-47161) | Microsoft Defender for Endpoint (MDE) | [MSRC](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47161)
[Stratascale](https://www.stratascale.com/resource/cve-2025-47161-osquery-defender-linux/) | [Rich Mirch](https://x.com/0xm1rch) | | [CVE‑2025‑35471](https://nvd.nist.gov/vuln/detail/CVE-2025-35471) | conda-forge | [conda-forge issue #201](https://github.com/conda-forge/openssl-feedstock/issues/201) | [Will Dormann](https://github.com/wdormann) | | [CVE‑2025‑2272](https://nvd.nist.gov/vuln/detail/CVE-2025-2272) | Forcepoint Endpoint DLP | [Triskele Labs 博客](https://www.triskelelabs.com/blog/cve-2025-2272-forcepoint-endpoint-dlp-privilege-escalation) | [Triskele Labs](https://www.triskelelabs.com/) | | [CVE‑2024‑6975](https://nvd.nist.gov/vuln/detail/CVE-2024-6975) | Cato Networks SDP Client | [AmberWolf 博客](https://blog.amberwolf.com/blog/2024/july/cve-2024-6975-cato-client-local-privilege-escalation-via-openssl-configuration-file/) | [AmberWolf](https://blog.amberwolf.com/) | | [CVE‑2024‑0394](https://nvd.nist.gov/vuln/detail/CVE-2024-0394) | Rapid7 Minerva Armor | [Rapid7 博客](https://www.rapid7.com/blog/post/2024/04/03/cve-2024-0394-rapid7-minerva-armor-privilege-escalation-fixed/) | [Will Dormann](https://github.com/wdormann) | | [CVE‑2023‑41840](https://nvd.nist.gov/vuln/detail/CVE-2023-41840) | FortiClient Windows | [FortiGuard PSIRT](https://www.fortiguard.com/psirt/FG-IR-23-274) | 未公开 | | [CVE‑2023‑40596](https://nvd.nist.gov/vuln/detail/CVE-2023-40596) | Splunk Enterprise for Windows | [Splunk SVD-2023-0805](https://advisory.splunk.com/advisories/SVD-2023-0805) | [Will Dormann](https://github.com/wdormann) | | [CVE‑2022‑32223](https://nvd.nist.gov/vuln/detail/CVE-2022-32223) | Node.js / npm CLI | [Aqua Security 博客](https://www.aquasec.com/blog/cve-2022-32223-dll-hijacking/) | [Yakir Kadkoda](https://www.aquasec.com/) (Aqua Security) | | [CVE‑2022‑29505](https://nvd.nist.gov/vuln/detail/CVE-2022-29505) | LINE for Windows | — | 未公开 | | [CVE‑2022‑26872](https://nvd.nist.gov/vuln/detail/CVE-2022-26872) | Tychon Endpoint | [CERT VU#730007](https://www.kb.cert.org/vuls/id/730007) | [Will Dormann](https://github.com/wdormann) | | [CVE‑2022‑0166](https://nvd.nist.gov/vuln/detail/CVE-2022-0166) | McAfee Agent | [CERT VU#287178](https://www.kb.cert.org/vuls/id/287178) | [Will Dormann](https://github.com/wdormann) | | [CVE‑2021‑2356](https://nvd.nist.gov/vuln/detail/CVE-2021-2356) | Oracle MySQL for Windows | [Oracle CPU 2021 年 7 月](https://www.oracle.com/security-alerts/cpujul2021.html) | [Will Dormann](https://github.com/wdormann) | | [CVE‑2021‑2307](https://nvd.nist.gov/vuln/detail/CVE-2021-2307) | MySQL for Windows | [CERT VU#567764](https://www.kb.cert.org/vuls/id/567764) | [Will Dormann](https://github.com/wdormann) | | [CVE‑2020‑36169](https://nvd.nist.gov/vuln/detail/CVE-2020-36169) | Veritas NetBackup / OpsCenter (Windows) | [Veritas VTS20-016](https://www.veritas.com/content/support/en_US/security/VTS20-016) | 未公开 | | [CVE‑2020‑36168](https://nvd.nist.gov/vuln/detail/CVE-2020-36168) | Veritas Resiliency Platform | [Veritas VTS20-015](https://www.veritas.com/content/support/en_US/security/VTS20-015) | 未公开 | | [CVE‑2020‑36167](https://nvd.nist.gov/vuln/detail/CVE-2020-36167) | Veritas Backup Exec | [Veritas VTS20-010](https://www.veritas.com/content/support/en_US/security/VTS20-010)
[CERT VU#429301](https://www.kb.cert.org/vuls/id/429301) | 未公开 | | [CVE‑2020‑36166](https://nvd.nist.gov/vuln/detail/CVE-2020-36166) | Veritas InfoScale / Storage Foundation / VIOM | [Veritas VTS20-014](https://www.veritas.com/content/support/en_US/security/VTS20-014) | 未公开 | | [CVE‑2020‑36165](https://nvd.nist.gov/vuln/detail/CVE-2020-36165) | Veritas Desktop and Laptop Option (DLO) | [Veritas VTS20-012](https://www.veritas.com/content/support/en_US/security/VTS20-012) | 未公开 | | [CVE‑2020‑36164](https://nvd.nist.gov/vuln/detail/CVE-2020-36164) | Veritas Enterprise Vault | [Veritas VTS20-013](https://www.veritas.com/content/support/en_US/security/VTS20-013) | 未公开 | | [CVE‑2020‑36163](https://nvd.nist.gov/vuln/detail/CVE-2020-36163) | Veritas NetBackup / OpsCenter (Windows) | [Veritas VTS20-016](https://www.veritas.com/content/support/en_US/security/VTS20-016) | 未公开 | | [CVE‑2020‑36162](https://nvd.nist.gov/vuln/detail/CVE-2020-36162) | Veritas CloudPoint (Windows Agent) | [Veritas VTS20-011](https://www.veritas.com/content/support/en_US/security/VTS20-011) | 未公开 | | [CVE‑2020‑36161](https://nvd.nist.gov/vuln/detail/CVE-2020-36161) | Veritas APTARE IT Analytics | [Veritas VTS20-009](https://www.veritas.com/content/support/en_US/security/VTS20-009) | 未公开 | | [CVE‑2020‑36160](https://nvd.nist.gov/vuln/detail/CVE-2020-36160) | Veritas System Recovery | [Veritas VTS20-017](https://www.veritas.com/content/support/en_US/security/VTS20-017) | 未公开 | | [CVE‑2020‑10143](https://nvd.nist.gov/vuln/detail/CVE-2020-10143) | Macrium Reflect | [CERT VU#760767](https://www.kb.cert.org/vuls/id/760767) | [Will Dormann](https://github.com/wdormann) | | [CVE‑2020‑10139](https://nvd.nist.gov/vuln/detail/CVE-2020-10139) | Acronis True Image 2021 | [CERT VU#114757](https://www.kb.cert.org/vuls/id/114757) | [Will Dormann](https://github.com/wdormann) | | [CVE‑2020‑10138](https://nvd.nist.gov/vuln/detail/CVE-2020-10138) | Acronis Cyber Backup / Cyber Protect | [CERT VU#114757](https://www.kb.cert.org/vuls/id/114757) | [Will Dormann](https://github.com/wdormann) | | [CVE‑2020‑8224](https://nvd.nist.gov/vuln/detail/CVE-2020-8224) | Nextcloud Desktop Client | [HackerOne #622170](https://hackerone.com/reports/622170) | [l00ph0le](https://hackerone.com/l00ph0le) | | [CVE‑2020‑7224](https://nvd.nist.gov/vuln/detail/CVE-2020-7224) | Aviatrix OpenVPN Client | [blog.mirch.io](https://blog.mirch.io/cve/) | [Rich Mirch](https://x.com/0xm1rch) | | [CVE‑2019‑12572](https://nvd.nist.gov/vuln/detail/CVE-2019-12572) | PIA VPN | [blog.mirch.io](https://blog.mirch.io/2019/06/10/cve-2019-12572-pia-windows-privilege-escalation-malicious-openssl-engine/) | [Rich Mirch](https://x.com/0xm1rch) | | [CVE‑2019‑10211](https://nvd.nist.gov/vuln/detail/CVE-2019-10211) | PostgreSQL | [PostgreSQL 安全](https://www.postgresql.org/support/security/CVE-2019-10211/) | [Daniel Gustafsson](https://github.com/danielgustafsson) | | [CVE‑2019‑5443](https://nvd.nist.gov/vuln/detail/CVE-2019-5443) | curl | [curl.se](https://curl.se/docs/CVE-2019-5443.html)
[daniel.haxx.se](https://daniel.haxx.se/blog/2019/06/24/openssl-engine-code-injection-in-curl/) | [Rich Mirch](https://x.com/0xm1rch) | | [CVE‑2019‑2390](https://nvd.nist.gov/vuln/detail/CVE-2019-2390) | mongoDB | [MongoDB SERVER-42233](https://jira.mongodb.org/browse/SERVER-42233) | [Rich Mirch](https://x.com/0xm1rch) | | [CVE‑2019‑1552](https://nvd.nist.gov/vuln/detail/CVE-2019-1552) | OpenSSL | [OpenSSL 安全公告](https://www.openssl.org/news/secadv/20190730.txt) | [Rich Mirch](https://x.com/0xm1rch) | | N/A | Monero Wallet GUI (Windows) | [HackerOne #630903](https://hackerone.com/reports/630903) | [l00ph0le](https://hackerone.com/l00ph0le) | | N/A | stunnel | [stunnel-announce](https://www.stunnel.org/pipermail/stunnel-announce/2019-June/000145.html) | [Rich Mirch](https://x.com/0xm1rch) |
标签:API接口, C++, macOS, OpenSSL, Web报告查看器, 协议分析, 安全测试工具, 数据擦除, 权限提升, 漏洞审计