Mimi's Blog

CVE-2023-21537 is a Windows Message Queuing (MSMQ) driver mqac.sys Vulnerability in. This vulnerability was disclosed in January 2023 and has been repaired by Microsoft. There is no public PoC program for the vulnerability, and the vulnerability discoverer only uses the article Racing bugs in Windows kernel Disclosed some information. On the basis of it, the author deeply analyzed the relevant code and successfully reproduced the vulnerability. This article is a summary of vulnerability research.

Establishment of vulnerability replication environment

Since this vulnerability has been repaired in a newer system, the vulnerability needs to be replicated in an older version of the system. The author has installed Windows 10 21H1 in the Hyper-V virtual machine, and the internal version number is 19043.928. In addition, because Message Queuing is an optional feature of Windows, it needs to be manually enabled in the control panel. To do this, open the control panel, select Programs, click Enable or Disable Windows Features, and open Microsoft Message Queuing (MSMQ) Server. As shown in the figure below.

Then, open Computer Management, select Services and Applications in the sidebar, click Private Queue under Message Queue, and right-click to create a new private queue. The queue name needs to be written down and used in the PoC program later. After completion, the situation is shown in the following figure.

To facilitate the debugging of PoC programs, kernel debugging can also be enabled in the virtual machine, so that the Windows kernel of the virtual machine can be debugged through the WinDbg on the host. The method is to open the Powershell with administrator privileges and execute the following command

 one
 two

 bcdedit /debug on
 bcdedit /dbgsettings net hostip: one hundred and ninety-two point one six eight . one point two port: fifty thousand and one key: one point two . three point four

hold hostip Change to the IP address of the host, port and key It can be modified. After that, restart the virtual machine, and then use these parameters in WinDbg to debug the kernel of the virtual machine.

Vulnerability analysis

According to the article of the vulnerability discoverer, the cause of the vulnerability is mqac.sys In ACSendMessage The function will read an input parameter from the user twice. The first time the parameter is used to control the array length, and the second time the heap memory is released according to the length. However, this logic does not consider the possibility that parameters may be modified by the user, so it constitutes a double fetch vulnerability, which may lead to the release of incorrect memory.

mqac.sys The processing function called by IoControl is provided. The name is ACDeviceControl , this function will parse the parameters passed in by the user and call different dispatching functions. Through reverse analysis ACDeviceControl Function. It is found that when IoControl call number is 0x19658107 And the total length of the output buffer is 0x2C0 It will further call ACSendMessage This distribution function. The key code obtained from IDA decompilation is as follows (some contexts are omitted):

 one
 two
 three
 four
 five
 six
 seven
 eight
 nine
 ten
 eleven
 twelve
 thirteen
 fourteen
 fifteen
 sixteen
 seventeen
 eighteen
 nineteen
 twenty

 __int64 __fastcall ACDeviceControl ( struct _DEVICE_OBJECT *DeviceObject, struct _IRP *Irp)
 {
   struct _ IO_STACK_LOCATION * CurrentStackLocation  Irp -> Tail.Overlay.CurrentStackLocation;
   unsigned  int LowPart = CurrentStackLocation->Parameters.Read.ByteOffset.LowPart;
 __int64 Length = CurrentStackLocation->Parameters. Read.Length;
   const  struct  CQueueBase * FsContext = CurrentStackLocation->FileObject->FsContext;
 NTSTATUS Information;
   // ...
   switch ( LowPart )
 {
     case  0x19658107 u:
       if ( (_DWORD)Length == seven hundred and four )
 {
 Information = ACSendMessage(DeviceObject,  Irp, Options, FsContext,  ( struct CACSendParameters *)UserBuffer);
         goto LABEL_246;
 }
       // ...
 }
   // ...
 }

ACSendMessage The function first copies the user mode buffer to the buffer on the kernel mode stack, then executes the core business logic, calls CQueue::PutNewPacket To send the data requested by the user, and then call ACFreeDeepCopyQueueFormat Free the heap memory. There is a vulnerability here: the second parameter passed in for memory release operation is directly read from the user mode buffer. The following are the key results from IDA decompilation, parameters UserBuffer It is the pointer to the user buffer.

 one
 two
 three
 four
 five
 six
 seven
 eight
 nine
 ten
 eleven
 twelve
 thirteen
 fourteen
 fifteen
 sixteen
 seventeen
 eighteen
 nineteen
 twenty
 twenty-one
 twenty-two
 twenty-three
 twenty-four
 twenty-five
 twenty-six

 __int64 __fastcall ACSendMessage (
         struct _DEVICE_OBJECT *DeviceObject,
         struct _IRP *Irp,
         unsigned  int Options,
         const  struct CQueueBase *FsContext,
         struct CACSendParameters *UserBuffer)
 {
   const  struct  BOID * v15 ;
 PVOID Contents[ thirty-six ];
   memset (Contents, zero , 0x118 ui64);
 _DWORD *DeviceExtension = DeviceObject->DeviceExtension;
   int v9 = CQueueBase::Validate(FsContext);
   if ( v9 >= zero )
 {
     if ( DeviceExtension[ two hundred and forty-six ] )
 {
 ACDeepProbeSendParams(DeviceObject, UserBuffer, ( struct ACSendParametersPointerContents *)Contents);
 v15 = ( const  struct BOID *)*((_QWORD *)UserBuffer + forty-five );
 }
     // ...
     if ( Contents[ twenty-three ] )
 ACFreeDeepCopyQueueFormat(( char *)Contents[ twenty-three ], *((_DWORD *)UserBuffer + one hundred and forty-eight ));
     // ...
 }
   // ...
 }

So the problem seems clear: we first obtain the handle to the MQAC virtual device, and then send it the number 0x19658107 And adjust the parameters to ACFreeDeepCopyQueueFormat The function can be executed. This needs to be satisfied Contents[23] Constraints that are not zero. After observation Contents First initialized to all zeros, and then passed in ACDeepProbeSendParams In this function, we should try to let this function help us modify Contents[23] To trigger the vulnerability.

Intranet penetration is a reverse proxy technology that allows you to access a machine in a complex network environment from anywhere. There are many application scenarios. For example, if you use raspberry pie as the home hub of Home Assistant at home, but the gateway of the home network does not have a public IP address, you will not be able to control the intelligent devices in your home when you leave home. After the intranet penetration is configured, you can connect to Raspberry Pie via the public IP address of the proxy server at any time and anywhere to access the services of Home Assistant.

The principle of intranet penetration is to use a host with a fixed public IP address as a springboard to enable two clients to establish a P2P connection; If it is not successful, it will transfer all the traffic to the host in the intranet through the springboard host. There are many intranet penetration solutions designed for different needs, such as frp And Cloudflare Tunnel. FRP allows you to map the port of the host in the intranet to the host in the public network, so it is very direct to use. The disadvantage of FRP is that both the host and port need to be configured separately. If multiple devices are used for networking, it will be a bit cumbersome; In addition, these ports will be directly exposed to the public network, with poor security. The other solution, Cloudflare Tunnel, can directly use Cloudflare nodes for transit. It is a very good choice, but its disadvantages are similar to those of frp. It is troublesome when multiple devices need to access each other.

Through experiments, if multiple devices in different network environments need to be configured with intranet penetration and can access each other, then ZeroTier is a good choice to build a virtual LAN. The author will introduce the specific configuration method below.

get ready

First, open ZeroTier official website , register an account, and then Download client And install it. After the installation of ZeroTier is completed, a virtual network card will be created.

In the ZeroTier client, enter the Network ID and select Join. Your device will be assigned to an IP address of the ZeroTier virtual network. All devices that need intranet penetration for networking are installed with ZeroTier clients and joined to the network with the same Network ID, so that they can access each other through the assigned IP addresses. It's that simple!

In the article DIY glow tube clock The author introduces some ideas of designing the digital logic part of the glow tube clock. In addition, the boost circuit is also an indispensable component in driving the glow tube. However, due to the lack of design experience at that time, the problem was not studied. Instead, a finished boost circuit board based on MC34063 was purchased. In fact, there are some problems with this scheme, for example, 12V input voltage is required to work, and the conversion efficiency needs to be discussed. So the author decided to design a boost circuit by himself, so that he could completely master the design of the whole circuit.

Of course, I don't have the ability to design such a circuit from scratch. I need to refer to the existing solutions first. At present, in addition to MC34063, there are also MAX1771 and LM3481 schemes on the market. After searching, we found that OMNIXIE produced NCH8200HV It meets my needs very well. It is very compact, easy to integrate, and only needs 5V input to drive. However, in order to protect copyright, OMNIXIE did not disclose the schematic diagram of NCH8200HV, and the silk screen on two ICs and one diode of the sold finished product was also polished off. Through visual identification, it can be found that there is a TTRN-060S-054 transformer on the circuit board and a patch resistor with resistance values of 0.01 ohm, 499 kiloohm, 69.8 kiloohm and 10 megohm respectively.

Combining these information, an open source boost circuit schematic diagram can be searched: Schematic Diagram of Glow Tube 5V-170V Boost Test Module PCB Engineering Document 。 This scheme is based on MAX668 chip and MOS tube TPH1R403NL. Among them, 69.8 kOhm and 10 megohm resistance are for voltage feedback, while 0.01 ohm resistance is current sampling resistance; The resistance of 499 kOhm controls the PWM frequency of MAX668 output. By observing the connection mode of some key components on the NCH8200HV, it can be judged that this open source schematic uses the same topology: coupled inductive Boost circuit.

Network disk is a convenient way to store, backup and share files, which has made great progress in the past decade. Many companies have added cloud storage functions to the ecosystem of their products, such as Apple's iCloud and Microsoft's OneDrive, which focus on the backup and synchronization of local files. Baidu online disk and 360 online disk that has cooled down focus on file sharing and offline download. It's a pity that many online disk service providers and download tools like Thunderbolt have a membership system and limit the download speed for non members, which is unfriendly to free users. So, is there any way to collect the advantages of these network disk services? The answer is that there is a private cloud service deployed by itself. Whether it is a raspberry pie or a VPS host, it can easily build a private cloud that supports offline download, synchronization and sharing.

At present, several mainstream private cloud services include: Seafile ， Pydio ， ownCloud and Nextcloud 。 These services have their own characteristics. SeaFile is for enterprise network disks and is developed based on Python. Pydio's new Cells are rewritten in Go language, providing team oriented file sharing services, but lacking in community support. While ownCloud and NextCloud are open source projects based on PHP. NextCloud was developed independently by the original ownCloud team members. They have many similarities, but NextCloud is better in many aspects (such as mobile terminal support).
Through the author's own tests, whether it is to build private cloud services for personal use or team collaboration, Nextcloud's functions can basically defeat other competitors. This article will also mainly introduce Nextcloud. Other service building methods can be found on their official websites.

Install Nextcloud

The author installed Nextcloud a few years ago. At that time, the PHP and MySQL environments needed to be manually configured. The steps were cumbersome. Now, Nextcloud has provided one click installation Docker image , let's build a Nextcloud service in a few minutes. To use it, create a docker-compose.yml Document and fill in the following contents:

 one
 two
 three
 four
 five
 six
 seven
 eight
 nine
 ten
 eleven
 twelve
 thirteen
 fourteen
 fifteen
 sixteen
 seventeen
 eighteen
 nineteen
 twenty
 twenty-one
 twenty-two
 twenty-three
 twenty-four
 twenty-five
 twenty-six
 twenty-seven
 twenty-eight
 twenty-nine
 thirty
 thirty-one
 thirty-two
 thirty-three

 version:  '2'

 volumes:
   nextcloud:
   db:

 services:
   db:
     image:  mariadb:10.6
     restart:  always
     command:  --transaction-isolation=READ-COMMITTED  --log-bin=binlog  --binlog-format=ROW
     volumes:
       -  db:/var/lib/mysql
     environment:
       -  MYSQL_ROOT_PASSWORD=
       -  MYSQL_PASSWORD=
       -  MYSQL_DATABASE=nextcloud
       -  MYSQL_USER=nextcloud

   app:
     image:  nextcloud
     restart:  always
     ports:
       -  eight thousand and eighty :80
     links:
       -  db
     volumes:
       -  nextcloud:/var/www/html
     environment:
       -  MYSQL_PASSWORD=
       -  MYSQL_DATABASE=nextcloud
       -  MYSQL_USER=nextcloud
       -  MYSQL_HOST=db

Where, you need to set MYSQL_ROOT_PASSWORD And two identical MYSQL_PASSWORD , so that Nextcloud can connect to the database. Then, run the following command:

 one

 docker-compose up -d

When finished, access http://localhost:8080 You can see the Nextcloud page. When you log in for the first time, you need to set the administrator account and password, and then you can start using.

Configure Cloudflare Tunnel

If the server has a public IP address, you can directly access the Nextcloud after configuring the firewall. However, if the server does not have a public IP address, then intranet penetration is required. The following describes how to use Cloudflare's Tunnel service to achieve intranet penetration.

First, you need to register a Cloudflare account and host the domain name on Cloudflare. Then, click Zero Trust in the control panel of Cloudflare, and select Tunnels under Access in the sidebar directory. In this page, you can create a new Tunnel. On the Tunnel settings page, you can select the commands to install according to your operating system. Taking Debian system as an example, the command is similar

 one
 two
 three

 curl -L --output cloudflared.deb  https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
 sudo dpkg -i cloudflared.deb
 sudo cloudflared service install ...

After that, you can set the domain name for public network access in the Public hostnames panel. Set the domain name as one of your subdomains, and set the added service to http://localhost:8080 OK. In this way, we can access Nextcloud on the Internet.

According to Microsoft documentation Options for using Windows 11 with Mac® computers with Apple ® M1® and M2 ™ chips , you can now use Parallels ® Desktop 18 installs Windows virtual machine with ARM architecture on M1 Mac. This article will introduce the specific steps.

First, install Parallels ® Desktop， Specific steps can be referred to ParallelsDesktopCrack 。

Then, you need to prepare a Windows ISO image of ARM architecture. Microsoft does not directly provide image download, but all required files can be obtained through the Windows Update server. Via website UUP dump The script file for generating the ISO image can be easily obtained.

After opening the UUP dump website, enter the keyword "Windows 11 arm64" in the search box and sort the search results by time. The results may include stable version and Insider Preview version. During the test, the author found that the resources of the Insider Preview version might fail to download, so you can choose a stable version, such as Windows 11, version 22H2 (22621.1485) arm64. Then, select the language and system version according to the prompts, and you can enter the download page.

Click Create download package to download a compressed package containing script files.

A file named readme.unix.md The software dependencies required to continue generating ISO images are given in the. However, the author found that the dependency [email protected] On M1 Mac Unable to install normally 。 To solve this problem, the installation method should be changed to:

 one
 two

 brew tap minacle/chntpw
 brew install cabextract wimlib cdrtools minacle/chntpw/chntpw

Once the installation is complete, execute

 one

 bash uup_download_macos.sh

If all goes well, a name similar to 22621.1_MULTI_ARM64_ZH-CN.ISO The image file of. Finally, create a new virtual machine in the Parallel Desktop, and select the ISO image file to install the system.

Reference article: How to Download and Install Windows 11 ARM With ISO