嗯,用户让我用中文总结一下这篇文章,控制在一百个字以内,而且不需要特定的开头。首先,我得仔细阅读文章内容,抓住主要信息。 文章是关于一个安全漏洞的,CVE编号是CVE-2025-54098。影响的版本包括Windows 10、11和一些Windows Server版本。严重程度是高危,因为本地无特权攻击者可以写任意数据到系统文件。 技术细节方面,问题出在vhdmp.sys驱动中的VhdmpiCTLogCreateBackingStore函数。它使用ZwCreateFile函数时没有传递OBJ_FORCE_ACCESS_CHECK标志,导致访问控制被绕过。攻击者可以写入任意文件,导致DoS、绕过安全工具甚至可能执行代码。 修复方法是传递该标志以恢复访问检查。 所以总结时要包括:漏洞名称、影响版本、严重程度、技术原因和修复方法。控制在一百字以内,直接描述即可。 </think> 微软Windows Hyper-V组件中发现高危漏洞(CVE-2025-54098),影响多个Windows 10、11及Server版本。攻击者可利用此漏洞写入任意文件,导致系统损坏或安全工具失效。问题源于vhdmp.sys驱动未正确执行访问控制检查,修复已发布。 2025-9-9 00:0:0 Author: starlabs.sg(查看原文) 阅读量:3 收藏
Advisory September 9, 2025 By Chen Le Qi 3 min read
CVE: CVE-2025-54098
Affected Versions: Windows 10 (1507, 1607, 1809, 21H2, 22H2); Windows 11 (22H2, 23H2, 24H2); Windows Server 2008 R2 SP1 through 2025
CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
| Product | Windows Hyper-V (vhdmp.sys) |
|---|---|
| Vendor | Microsoft |
| Severity | High — a local unprivileged attacker may write arbitrary data to any file on the system |
| Affected Versions | Windows 10 (1507, 1607, 1809, 21H2, 22H2); Windows 11 (22H2, 23H2, 24H2); Windows Server 2008 R2 SP1 – 2025 |
| Tested Versions | Windows 11 24H2 (Build 26100.4061) |
| CVE Identifier | CVE-2025-54098 |
| CVE Description | Improper access control in Windows Hyper-V allows an authorized attacker to elevate privileges locally |
| CWE Classification(s) | CWE-284: Improper Access Control |
CVSS3.1 Scoring System
Base Score: 7.8 (High)
Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
| Metric | Value |
|---|---|
| Attack Vector (AV) | Local |
| Attack Complexity (AC) | Low |
| Privileges Required (PR) | Low |
| User Interaction (UI) | None |
| Scope (S) | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | High |
| Availability (A) | High |
Product Background
The Virtual Hard Disk Miniport Driver (vhdmp.sys) handles VHD and ISO mount requests on Windows. It is present and running by default on every installation of Windows 11. The driver exposes IOCTL handlers that allow userspace to interact with virtual disk operations including CT Log management.
Technical Details
VhdmpiCTLogCreateBackingStore() is responsible for creating a file on disk to store CT Log data. It calls ZwCreateFile() with a file path that is fully user-controllable:
ObjectAttributes.RootDirectory = 0LL;
ObjectAttributes.ObjectName = (PUNICODE_STRING)(CTLogObj__ + 16);
ObjectAttributes.Length = 48;
ObjectAttributes.Attributes = 0x240;
*(_OWORD *)&ObjectAttributes.SecurityDescriptor = 0LL;
if ( !a5
|| (HIWORD(EaBuffer[0]) = 16,
strcpy((char *)&EaBuffer[1], "ClusteredApplicationInstance"),
v17 = *a5,
BYTE5(EaBuffer[0]) = 28,
*(_OWORD *)((char *)&EaBuffer[4] + 5) = v17,
ZwCreateFile(
&FileHandle,
0xC0000000,
&ObjectAttributes,
&IoStatusBlock,
0LL,
0x80u,
1u,
1u,
0x42u,
EaBuffer,
0x38u) < 0) )
{
v18 = ZwCreateFile(&FileHandle, 0xC0000000, &ObjectAttributes,
&IoStatusBlock, 0LL, 0x80u, 1u, 1u, 0x42u, 0LL, 0);
status = v18;
if ( v18 < 0 )
goto LABEL_12;
}
The critical issue is that the OBJ_FORCE_ACCESS_CHECK flag is not passed in OBJECT_ATTRIBUTES, and the Zw* API variant is used instead of Nt*. When called from kernel mode via Zw* without OBJ_FORCE_ACCESS_CHECK, Windows skips the access check against the caller’s token entirely. This means a low-privileged user can supply a path to any file on the system — including protected system files — and the kernel will open it without verifying whether the caller has write permission.
After the file is opened, the driver writes CT Log header data followed by user-influenced CT Log content. Since the log data can be partially controlled by the caller, this enables:
- Permanent DoS — corrupting core system files, requiring OS reinstallation to recover
- Security tool bypass — overwriting AV/EDR executables or configuration files
- Potential code execution — with partial data control, further exploitation may be possible
One path to reach VhdmpiCTLogCreateBackingStore() is via IOCTL 0x2D197C, which calls VhdmpiEnableTracking(). Directory traversal (\..\) and NTFS junctions are both viable techniques for redirecting the file path to an arbitrary target.
The fix is to pass OBJ_FORCE_ACCESS_CHECK in the OBJECT_ATTRIBUTES when calling ZwCreateFile(), which restores the access check against the caller’s security token.
Credit
Chen Le Qi of STAR Labs SG Pte. Ltd.
Timeline
- 2025-09-09 — CVE-2025-54098 published; patch released via Microsoft Security Response Center
如有侵权请联系:admin#unsafe.sh