CVE-2025-43532|Microsoft Remote Registry Service特权提升漏洞(POC)
0x00 引言
Windows 操作系统中包含一项名为 Microsoft Remote Registry Service(远程注册表服务)的功能,允许用户通过网络远程访问和管理目标系统的注册表内容。
0x01 漏洞概述
该漏洞的成因在于,当 Microsoft Remote Registry 客户端检测到 SMB 传输不可用时,会自动回退至使用 RPC(远程过程调用)进行认证,并切换到较旧的通信协议(如 TCP/IP),同时采用较低的安全认证级别(RPC_C_AUTHN_LEVEL_CONNECT)。此认证级别无法确保通信的完整性或身份真实性,导致攻击者可借此漏洞拦截 NTLM 身份验证过程,并将认证凭据中继至其他服务(例如 ADCS),从而实施 NTLM 中继攻击。通过该方式,攻击者可能非法创建域管理员账户,甚至完全控制整个域环境。
0x02 CVE 编号
CVE-2025-43532
0x03 受影响版本
Windows Server 2012 R2 (Server Core installation)Windows Server 2012 R2Windows Server 2012 (Server Core installation)Windows Server 2012Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)Windows Server 2008 R2 for x64-based Systems Service Pack 1Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)Windows Server 2008 for x64-based Systems Service Pack 2Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)Windows Server 2008 for 32-bit Systems Service Pack 2Windows Server 2016 (Server Core installation)Windows Server 2016Windows 10 Version 1607 for x64-based SystemsWindows 10 Version 1607 for 32-bit SystemsWindows 10 for x64-based SystemsWindows 10 for 32-bit SystemsWindows 11 Version 24H2 for x64-based SystemsWindows 11 Version 24H2 for ARM64-based SystemsWindows Server 2025, 23H2 Edition (Server Core installation)Windows 11 Version 23H2 for x64-based SystemsWindows 11 Version 23H2 for ARM64-based SystemsWindows 10 Version 22H2 for 32-bit SystemsWindows 10 Version 22H2 for ARM64-based SystemsWindows 10 Version 22H2 for x64-based SystemsWindows 11 Version 22H2 for x64-based SystemsWindows 11 Version 22H2 for ARM64-based SystemsWindows 10 Version 21H2 for x64-based SystemsWindows 10 Version 21H2 for ARM64-based SystemsWindows 10 Version 21H2 for 32-bit SystemsWindows 11 version 21H2 for ARM64-based SystemsWindows 11 version 21H2 for x64-based SystemsWindows Server 2025 (Server Core installation)Windows Server 2025Windows Server 2019 (Server Core installation)Windows Server 2019Windows 10 Version 1809 for x64-based SystemsWindows 10 Version 1809 for 32-bit Systems
0x04 漏洞验证
POC 地址:
https://www./link/5142f159455fdf571ab0d67b89fa64f5
0x05 参考资料
https:
//www./link/f1a64a0e360d5ddaf0a3b33c67e3c016
https://www./link/5142f159455fdf571ab0d67b89fa64f5
