Published onClassified intechnologyDisqus:Number of words in this article:2.1kReading duration ≈8 minutes
CVE-2023-21537 is a Windows Message Queuing (MSMQ) drivermqac.sysVulnerability in.This vulnerability was disclosed in January 2023 and has been repaired by Microsoft.There is no public PoC program for the vulnerability, and the vulnerability discoverer only uses the articleRacing bugs in Windows kernelDisclosed some information.On the basis of it, the author deeply analyzed the relevant code and successfully reproduced the vulnerability.This article is a summary of vulnerability research.
Establishment of vulnerability replication environment
Since this vulnerability has been repaired in a newer system, the vulnerability needs to be replicated in an older version of the system.The author has installed Windows 10 21H1 in the Hyper-V virtual machine, and the internal version number is 19043.928.In addition, because Message Queuing is an optional feature of Windows, it needs to be manually enabled in the control panel.To do this, open the control panel, select Programs, click Enable or Disable Windows Features, and open Microsoft Message Queuing (MSMQ) Server.As shown in the figure below.
Then, open Computer Management, select Services and Applications in the sidebar, click Private Queue under Message Queue, and right-click to create a new private queue.The queue name needs to be written down and used in the PoC program later.After completion, the situation is shown in the following figure.
To facilitate the debugging of PoC programs, kernel debugging can also be enabled in the virtual machine, so that the Windows kernel of the virtual machine can be debugged through the WinDbg on the host.The method is to open the Powershell with administrator privileges and execute the following command
one two
bcdedit /debug on bcdedit /dbgsettings net hostip:one hundred and ninety-two point one six eight.one point twoport:fifty thousand and onekey:one point two.three point four
holdhostipChange to the IP address of the host,portandkeyIt can be modified.After that, restart the virtual machine, and then use these parameters in WinDbg to debug the kernel of the virtual machine.
Vulnerability analysis
According to the article of the vulnerability discoverer, the cause of the vulnerability ismqac.sysInACSendMessageThe function will read an input parameter from the user twice. The first time the parameter is used to control the array length, and the second time the heap memory is released according to the length.However, this logic does not consider the possibility that parameters may be modified by the user, so it constitutes a double fetch vulnerability, which may lead to the release of incorrect memory.
mqac.sysThe processing function called by IoControl is provided. The name isACDeviceControl, this function will parse the parameters passed in by the user and call different dispatching functions.Through reverse analysisACDeviceControlFunction. It is found that when IoControl call number is0x19658107And the total length of the output buffer is0x2C0It will further callACSendMessageThis distribution function.The key code obtained from IDA decompilation is as follows (some contexts are omitted):
one two three four five six seven eight nine ten eleven twelve thirteen fourteen fifteen sixteen seventeen eighteen nineteen twenty
ACSendMessageThe function first copies the user mode buffer to the buffer on the kernel mode stack, then executes the core business logic, callsCQueue::PutNewPacketTo send the data requested by the user, and then callACFreeDeepCopyQueueFormatFree the heap memory.There is a vulnerability here: the second parameter passed in for memory release operation is directly read from the user mode buffer.The following are the key results from IDA decompilation, parametersUserBufferIt is the pointer to the user buffer.
one two three four five six seven eight nine ten eleven twelve thirteen fourteen fifteen sixteen seventeen eighteen nineteen twenty twenty-one twenty-two twenty-three twenty-four twenty-five twenty-six
So the problem seems clear: we first obtain the handle to the MQAC virtual device, and then send it the number0x19658107And adjust the parameters toACFreeDeepCopyQueueFormatThe function can be executed.This needs to be satisfiedContents[23]Constraints that are not zero.After observationContentsFirst initialized to all zeros, and then passed inACDeepProbeSendParamsIn this function, we should try to let this function help us modifyContents[23]To trigger the vulnerability.
Published onClassified intechnologyDisqus:Number of words in this article:1.2kReading duration ≈4 minutes
Intranet penetration is a reverse proxy technology that allows you to access a machine in a complex network environment from anywhere.There are many application scenarios. For example, if you use raspberry pie as the home hub of Home Assistant at home, but the gateway of the home network does not have a public IP address, you will not be able to control the intelligent devices in your home when you leave home.After the intranet penetration is configured, you can connect to Raspberry Pie via the public IP address of the proxy server at any time and anywhere to access the services of Home Assistant.
The principle of intranet penetration is to use a host with a fixed public IP address as a springboard to enable two clients to establish a P2P connection;If it is not successful, it will transfer all the traffic to the host in the intranet through the springboard host.There are many intranet penetration solutions designed for different needs, such asfrpAnd Cloudflare Tunnel.FRP allows you to map the port of the host in the intranet to the host in the public network, so it is very direct to use.The disadvantage of FRP is that both the host and port need to be configured separately. If multiple devices are used for networking, it will be a bit cumbersome;In addition, these ports will be directly exposed to the public network, with poor security.The other solution, Cloudflare Tunnel, can directly use Cloudflare nodes for transit. It is a very good choice, but its disadvantages are similar to those of frp. It is troublesome when multiple devices need to access each other.
Through experiments, if multiple devices in different network environments need to be configured with intranet penetration and can access each other, then ZeroTier is a good choice to build a virtual LAN.The author will introduce the specific configuration method below.
get ready
First, openZeroTier official website, register an account, and thenDownload clientAnd install it.After the installation of ZeroTier is completed, a virtual network card will be created.
In the ZeroTier client, enter the Network ID and select Join. Your device will be assigned to an IP address of the ZeroTier virtual network.All devices that need intranet penetration for networking are installed with ZeroTier clients and joined to the network with the same Network ID, so that they can access each other through the assigned IP addresses.It's that simple!
Published onClassified intechnologyDisqus:Number of words in this article:1.3kReading duration ≈5 minutes
In the articleDIY glow tube clockThe author introduces some ideas of designing the digital logic part of the glow tube clock.In addition, the boost circuit is also an indispensable component in driving the glow tube. However, due to the lack of design experience at that time, the problem was not studied. Instead, a finished boost circuit board based on MC34063 was purchased.In fact, there are some problems with this scheme, for example, 12V input voltage is required to work, and the conversion efficiency needs to be discussed.So the author decided to design a boost circuit by himself, so that he could completely master the design of the whole circuit.
Of course, I don't have the ability to design such a circuit from scratch. I need to refer to the existing solutions first.At present, in addition to MC34063, there are also MAX1771 and LM3481 schemes on the market.After searching, we found that OMNIXIE producedNCH8200HVIt meets my needs very well.It is very compact, easy to integrate, and only needs 5V input to drive.However, in order to protect copyright, OMNIXIE did not disclose the schematic diagram of NCH8200HV, and the silk screen on two ICs and one diode of the sold finished product was also polished off.Through visual identification, it can be found that there is a TTRN-060S-054 transformer on the circuit board and a patch resistor with resistance values of 0.01 ohm, 499 kiloohm, 69.8 kiloohm and 10 megohm respectively.
Combining these information, an open source boost circuit schematic diagram can be searched:Schematic Diagram of Glow Tube 5V-170V Boost Test Module PCB Engineering Document。This scheme is based on MAX668 chip and MOS tube TPH1R403NL.Among them, 69.8 kOhm and 10 megohm resistance are for voltage feedback, while 0.01 ohm resistance is current sampling resistance;The resistance of 499 kOhm controls the PWM frequency of MAX668 output.By observing the connection mode of some key components on the NCH8200HV, it can be judged that this open source schematic uses the same topology: coupled inductive Boost circuit.
Published onClassified intechnologyDisqus:Number of words in this article:eight hundred and fifty-sevenReading duration ≈3 minutes
Network disk is a convenient way to store, backup and share files, which has made great progress in the past decade.Many companies have added cloud storage functions to the ecosystem of their products, such as Apple's iCloud and Microsoft's OneDrive, which focus on the backup and synchronization of local files.Baidu online disk and 360 online disk that has cooled down focus on file sharing and offline download.It's a pity that many online disk service providers and download tools like Thunderbolt have a membership system and limit the download speed for non members, which is unfriendly to free users.So, is there any way to collect the advantages of these network disk services?The answer is that there is a private cloud service deployed by itself.Whether it is a raspberry pie or a VPS host, it can easily build a private cloud that supports offline download, synchronization and sharing.
At present, several mainstream private cloud services include:Seafile,Pydio,ownCloudandNextcloud。These services have their own characteristics.SeaFile is for enterprise network disks and is developed based on Python.Pydio's new Cells are rewritten in Go language, providing team oriented file sharing services, but lacking in community support.While ownCloud and NextCloud are open source projects based on PHP. NextCloud was developed independently by the original ownCloud team members. They have many similarities, but NextCloud is better in many aspects (such as mobile terminal support). Through the author's own tests, whether it is to build private cloud services for personal use or team collaboration, Nextcloud's functions can basically defeat other competitors.This article will also mainly introduce Nextcloud. Other service building methods can be found on their official websites.
Install Nextcloud
The author installed Nextcloud a few years ago. At that time, the PHP and MySQL environments needed to be manually configured. The steps were cumbersome.Now, Nextcloud has provided one click installationDocker image, let's build a Nextcloud service in a few minutes.To use it, create adocker-compose.ymlDocument and fill in the following contents:
one two three four five six seven eight nine ten eleven twelve thirteen fourteen fifteen sixteen seventeen eighteen nineteen twenty twenty-one twenty-two twenty-three twenty-four twenty-five twenty-six twenty-seven twenty-eight twenty-nine thirty thirty-one thirty-two thirty-three
Where, you need to setMYSQL_ROOT_PASSWORDAnd two identicalMYSQL_PASSWORD, so that Nextcloud can connect to the database.Then, run the following command:
one
docker-compose up -d
When finished, accesshttp://localhost:8080You can see the Nextcloud page.When you log in for the first time, you need to set the administrator account and password, and then you can start using.
Configure Cloudflare Tunnel
If the server has a public IP address, you can directly access the Nextcloud after configuring the firewall.However, if the server does not have a public IP address, then intranet penetration is required.The following describes how to use Cloudflare's Tunnel service to achieve intranet penetration.
First, you need to register a Cloudflare account and host the domain name on Cloudflare.Then, click Zero Trust in the control panel of Cloudflare, and select Tunnels under Access in the sidebar directory.In this page, you can create a new Tunnel.On the Tunnel settings page, you can select the commands to install according to your operating system.Taking Debian system as an example, the command is similar
After that, you can set the domain name for public network access in the Public hostnames panel.Set the domain name as one of your subdomains, and set the added service tohttp://localhost:8080OK.In this way, we can access Nextcloud on the Internet.
First, install Parallels® Desktop,Specific steps can be referred toParallelsDesktopCrack。
Then, you need to prepare a Windows ISO image of ARM architecture.Microsoft does not directly provide image download, but all required files can be obtained through the Windows Update server.Via websiteUUP dumpThe script file for generating the ISO image can be easily obtained.
After opening the UUP dump website, enter the keyword "Windows 11 arm64" in the search box and sort the search results by time.The results may include stable version and Insider Preview version.During the test, the author found that the resources of the Insider Preview version might fail to download, so you can choose a stable version, such as Windows 11, version 22H2 (22621.1485) arm64.Then, select the language and system version according to the prompts, and you can enter the download page.
Click Create download package to download a compressed package containing script files.
A file namedreadme.unix.mdThe software dependencies required to continue generating ISO images are given in the.However, the author found that the dependency[email protected]On M1 MacUnable to install normally。To solve this problem, the installation method should be changed to:
one two
brew tap minacle/chntpw brew install cabextract wimlib cdrtools minacle/chntpw/chntpw
Once the installation is complete, execute
one
bash uup_download_macos.sh
If all goes well, a name similar to22621.1_MULTI_ARM64_ZH-CN.ISOThe image file of.Finally, create a new virtual machine in the Parallel Desktop, and select the ISO image file to install the system.