Post from 2024-08-06 14:35:14
Alt:
Therefore, after in-depth analysis, we found that the conditions for LPE or RCE vulnerabilities are actually met here.
(1) The source of its input content is the `C-00000291-00000000-00000009.sys` file, and there is no signature mechanism;
(2) `CrowdStrike` lacks a self-protection mechanism and can read and write the `C-00000291-00000000-00000009.sys` file at will;
(3) `C-00000291-00000000-00000009.sys` itself is directly downloaded from the Internet by `CSAgent.sys`;
(4) `CSAgent.sys` supports reading the proxy from IE AutoProxy out of the network.