嗯,用户让我总结一下这篇文章的内容,控制在一百个字以内,而且不需要用“文章内容总结”或者“这篇文章”这样的开头。直接写描述就行。好的,我先仔细读一下文章。 文章讲的是微软DirectX安装过程中存在一个本地权限提升漏洞。具体来说,低权限用户可以在安装时替换一个可执行文件,导致权限意外提升。漏洞是因为安装程序的临时文件夹对标准用户可写,攻击者可以替换dxwsetup.exe为恶意程序,然后以高权限运行。 确认受影响的版本是9.29.1974.0。CVSSv3评分是8.8,属于高危。CWE是284,不正确的访问控制。 时间线显示从2025年10月30日披露到2026年3月11日公开发布。发现者是Cisco Talos的KPC。 现在我要把这些信息浓缩到100字以内。重点包括:DirectX安装漏洞、本地权限提升、攻击者替换可执行文件、临时文件夹权限问题、CVSS评分和发现者。 可能的结构:微软DirectX安装存在本地权限提升漏洞,攻击者可替换临时文件夹中的可执行文件以获取高权限。CVSSv3评分为8.8,CWE-284。发现者为Cisco Talos团队。 检查字数是否在限制内,并确保没有使用开头词。 </think> 微软DirectX安装程序存在本地权限提升漏洞,攻击者可利用临时文件夹权限替换关键可执行文件以获取高特权。该漏洞由Cisco Talos团队发现,CVSSv3评分为8.8。 2026-3-11 00:0:35 Author: talosintelligence.com(查看原文) 阅读量:1 收藏
SUMMARY
A local privilege escalation vulnerability exists during the installation of Microsoft DirectX End-User Runtime. A low-privilege user can replace an executable file during the installation process, which may result in unintended elevation of privileges.
CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Microsoft DirectX End-User Runtime Web Installer 9.29.1974.0
PRODUCT URLS
DirectX End-User Runtime Web Installer - https://www.microsoft.com/en-us/download/details.aspx?id=35
CVSSv3 SCORE
8.8 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE
CWE-284 - Improper Access Control
DETAILS
The DirectX End-User Runtime Web Installer installs additional legacy DirectX libraries but does not upgrade the core DirectX version supported by Windows.
The Microsoft DirectX End-User Runtime Web (dxwebsetup.exe) installer creates a temporary folder in %TEMP% during installation. It then creates the dxwsetup.exe executable in that folder. This behavior can be observed in the following Process Monitor logs:
11:10:31.6282244 AM dxwebsetup.exe 11440 CreateFile C:\Users\dev\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe NAME NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a High
11:10:31.6300581 AM dxwebsetup.exe 11440 CreateFile C:\Users\dev\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe SUCCESS Desired Access: Generic Write, Read Attributes, Disposition: OverwriteIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: None, AllocationSize: 0, OpenResult: Created High
Next, it runs the dxwsetup.exe executable with high integrity to complete the installation, as shown below:
11:10:32.2195484 AM dxwebsetup.exe 11440 Process Create C:\Users\dev\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe SUCCESS PID: 9852, Command line: C:\Users\dev\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe High
[...]
11:10:32.2195659 AM dxwsetup.exe 9852 Process Start SUCCESS Parent PID: 11440, Command line: C:\Users\dev\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe, Current directory: C:\Users\dev\AppData\Local\Temp\IXP000.TMP\, Environment:
[...]
The vulnerability exists because the installer’s temporary folder is writable by standard users. An attacker with user privileges can exploit this by replacing dxwsetup.exe with a malicious executable. When dxwebsetup.exe runs dxwsetup.exe, it will execute the attacker-controlled file with high integrity privileges.
The Process Monitor log below shows the creation of C:\pwned.txt when the attacker-controlled dxwsetup.exe is loaded. Note that only a high-privilege user can create a file in the root directory.
11:31:15.5356631 AM dxwsetup.exe 11212 CreateFile C:\pwned.txt SUCCESS Desired Access: Generic Write, Read Attributes, Disposition: OverwriteIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, OpenResult: Created High
11:31:15.5378461 AM dxwsetup.exe 11212 WriteFile C:\pwned.txt SUCCESS Offset: 0, Length: 36, Priority: Normal High
11:31:15.5384271 AM dxwsetup.exe 11212 CloseFile C:\pwned.txt SUCCESS High
Note that some applications use the Microsoft DirectX End-User Runtime Web installer to install DirectX components. Such applications may also be affected by this issue.
TIMELINE
2025-10-30 - Vendor Disclosure
2025-11-17 - Vendor rejects the issue as being “by design”
2025-12-09 - Submitted dispute to Mitre
2026-01-14 - Vendor finally rejects vulnerability
2026-01-23 - Email from Mitre to vendor, request for information
2026-02-16 - Mitre sends follow-up email to vendor
2026-02-17 - Vendor indicates reason for rejection based on misunderstanding the vulnerability for months, requests additional information
2026-02-17 - Additional information provided to vendor
2026-02-20 - Vendor requests more time to reassess the issue
2026-03-03 - Mitre asks for reply from vendor; No reply
2026-03-09 - Mitre assigns CVE
2026-03-11 - Public Release
Discovered by KPC of Cisco Talos.
如有侵权请联系:admin#unsafe.sh