CVE-2024-30088 on 办公AI智能小助手 https://blog.qife122.com/tags/cve-2024-30088/ Recent content in CVE-2024-30088 on 办公AI智能小助手 Hugo zh-cn qife Fri, 19 Sep 2025 03:20:34 +0800 欺骗沙箱:一次Chrome渲染器逃逸之旅 https://blog.qife122.com/p/%E6%AC%BA%E9%AA%97%E6%B2%99%E7%AE%B1%E4%B8%80%E6%AC%A1chrome%E6%B8%B2%E6%9F%93%E5%99%A8%E9%80%83%E9%80%B8%E4%B9%8B%E6%97%85/ Fri, 19 Sep 2025 03:20:34 +0800 https://blog.qife122.com/p/%E6%AC%BA%E9%AA%97%E6%B2%99%E7%AE%B1%E4%B8%80%E6%AC%A1chrome%E6%B8%B2%E6%9F%93%E5%99%A8%E9%80%83%E9%80%B8%E4%B9%8B%E6%97%85/ <h1 id="欺骗沙箱一次chrome-atic逃逸">欺骗沙箱:一次Chrome-atic逃逸</h1> <h2 id="目录">目录</h2> <ul> <li><a href="https://blog.qife122.com/p/%E6%AC%BA%E9%AA%97%E6%B2%99%E7%AE%B1%E4%B8%80%E6%AC%A1chrome%E6%B8%B2%E6%9F%93%E5%99%A8%E9%80%83%E9%80%B8%E4%B9%8B%E6%97%85/#the-hunt-begins-finding-the-trigger-for-cve-2024-30088">狩猎开始:寻找CVE-2024-30088的触发点</a></li> <li><a href="https://blog.qife122.com/p/%E6%AC%BA%E9%AA%97%E6%B2%99%E7%AE%B1%E4%B8%80%E6%AC%A1chrome%E6%B8%B2%E6%9F%93%E5%99%A8%E9%80%83%E9%80%B8%E4%B9%8B%E6%97%85/#down-the-rabbit-hole-following-the-breadcrumbs">深入探索:跟随线索</a></li> <li><a href="https://blog.qife122.com/p/%E6%AC%BA%E9%AA%97%E6%B2%99%E7%AE%B1%E4%B8%80%E6%AC%A1chrome%E6%B8%B2%E6%9F%93%E5%99%A8%E9%80%83%E9%80%B8%E4%B9%8B%E6%97%85/#the-eureka-moment-understanding-the-race">尤里卡时刻:理解竞争条件</a></li> <li><a href="https://blog.qife122.com/p/%E6%AC%BA%E9%AA%97%E6%B2%99%E7%AE%B1%E4%B8%80%E6%AC%A1chrome%E6%B8%B2%E6%9F%93%E5%99%A8%E9%80%83%E9%80%B8%E4%B9%8B%E6%97%85/#weaponizing-the-discovery">武器化发现</a></li> <li><a href="https://blog.qife122.com/p/%E6%AC%BA%E9%AA%97%E6%B2%99%E7%AE%B1%E4%B8%80%E6%AC%A1chrome%E6%B8%B2%E6%9F%93%E5%99%A8%E9%80%83%E9%80%B8%E4%B9%8B%E6%97%85/#entering-chrome-renderer-sandbox">进入Chrome渲染器沙箱</a></li> <li><a href="https://blog.qife122.com/p/%E6%AC%BA%E9%AA%97%E6%B2%99%E7%AE%B1%E4%B8%80%E6%AC%A1chrome%E6%B8%B2%E6%9F%93%E5%99%A8%E9%80%83%E9%80%B8%E4%B9%8B%E6%97%85/#roadblock-1-the-integrity-police">障碍一:完整性警察</a></li> <li><a href="https://blog.qife122.com/p/%E6%AC%BA%E9%AA%97%E6%B2%99%E7%AE%B1%E4%B8%80%E6%AC%A1chrome%E6%B8%B2%E6%9F%93%E5%99%A8%E9%80%83%E9%80%B8%E4%B9%8B%E6%97%85/#solution-breaking-the-security-descriptor">解决方案:破坏安全描述符</a></li> <li><a href="https://blog.qife122.com/p/%E6%AC%BA%E9%AA%97%E6%B2%99%E7%AE%B1%E4%B8%80%E6%AC%A1chrome%E6%B8%B2%E6%9F%93%E5%99%A8%E9%80%83%E9%80%B8%E4%B9%8B%E6%97%85/#the-precision-surgery-problem">精准手术问题</a></li> <li><a href="https://blog.qife122.com/p/%E6%AC%BA%E9%AA%97%E6%B2%99%E7%AE%B1%E4%B8%80%E6%AC%A1chrome%E6%B8%B2%E6%9F%93%E5%99%A8%E9%80%83%E9%80%B8%E4%B9%8B%E6%97%85/#roadblock-2-the-job-object-prison">障碍二:作业对象监狱</a></li> <li><a href="https://blog.qife122.com/p/%E6%AC%BA%E9%AA%97%E6%B2%99%E7%AE%B1%E4%B8%80%E6%AC%A1chrome%E6%B8%B2%E6%9F%93%E5%99%A8%E9%80%83%E9%80%B8%E4%B9%8B%E6%97%85/#solution-the-great-escape">解决方案:大逃亡</a></li> <li><a href="https://blog.qife122.com/p/%E6%AC%BA%E9%AA%97%E6%B2%99%E7%AE%B1%E4%B8%80%E6%AC%A1chrome%E6%B8%B2%E6%9F%93%E5%99%A8%E9%80%83%E9%80%B8%E4%B9%8B%E6%97%85/#demo">演示</a></li> <li><a href="https://blog.qife122.com/p/%E6%AC%BA%E9%AA%97%E6%B2%99%E7%AE%B1%E4%B8%80%E6%AC%A1chrome%E6%B8%B2%E6%9F%93%E5%99%A8%E9%80%83%E9%80%B8%E4%B9%8B%E6%97%85/#summary">总结</a></li> <li><a href="https://blog.qife122.com/p/%E6%AC%BA%E9%AA%97%E6%B2%99%E7%AE%B1%E4%B8%80%E6%AC%A1chrome%E6%B8%B2%E6%9F%93%E5%99%A8%E9%80%83%E9%80%B8%E4%B9%8B%E6%97%85/#afterthoughts">后续思考</a></li> </ul> <p>在我的实习期间,我的导师Le Qi分配我分析CVE-2024-30088,这是Windows内核映像ntoskrnl.exe中的一个双重获取竞争条件漏洞。GitHub上有一个公开的POC,演示了从中等完整性级别到SYSTEM的权限提升(EoP)。此外,我还被挑战(更像是被迫💀)将漏洞利用链式操作,以逃逸Chrome渲染器沙箱,实现从不信任完整性级别到SYSTEM的EoP。容易,对吧?🤡</p>