{"id":47441,"date":"2026-03-03T08:21:32","date_gmt":"2026-03-03T01:21:32","guid":{"rendered":"https:\/\/antoanthongtinhaiphong.gov.vn\/?p=47441"},"modified":"2026-03-04T08:22:14","modified_gmt":"2026-03-04T01:22:14","slug":"poc-cve-2026-20817-lo-hong-leo-thang-dac-quyen-tren-windows-co-the-chiem-quyen-system","status":"publish","type":"post","link":"https:\/\/antoanthongtinhaiphong.gov.vn\/poc-cve-2026-20817-lo-hong-leo-thang-dac-quyen-tren-windows-co-the-chiem-quyen-system\/","title":{"rendered":"PoC CVE-2026-20817: L\u1ed7 h\u1ed5ng leo thang \u0111\u1eb7c quy\u1ec1n tr\u00ean Windows c\u00f3 th\u1ec3 chi\u1ebfm quy\u1ec1n SYSTEM"},"content":{"rendered":"<div><b>M\u1ed9t m\u00e3 khai th\u00e1c m\u1eabu (PoC) cho l\u1ed7 h\u1ed5ng CVE-2026-20817 v\u1eeba \u0111\u01b0\u1ee3c c\u00f4ng khai, l\u00e0m d\u1ea5y l\u00ean lo ng\u1ea1i v\u1ec1 nguy c\u01a1 leo thang \u0111\u1eb7c quy\u1ec1n tr\u00ean c\u00e1c h\u1ec7 th\u1ed1ng Windows ch\u01b0a k\u1ecbp c\u1eadp nh\u1eadt b\u1ea3n v\u00e1 th\u00e1ng 01\/2026. L\u1ed7 h\u1ed5ng n\u1eb1m trong d\u1ecbch v\u1ee5 Windows Error Reporting (WER) v\u00e0 cho ph\u00e9p ng\u01b0\u1eddi d\u00f9ng c\u00f3 quy\u1ec1n th\u1ea5p n\u00e2ng l\u00ean m\u1ee9c NT AUTHORITY\\SYSTEM, t\u1ee9c to\u00e0n quy\u1ec1n ki\u1ec3m so\u00e1t m\u00e1y.<\/b><br \/>\n\u200b<\/div>\n<div><a class=\"js-lbImage\" href=\"https:\/\/whitehat.vn\/attachments\/1772534592777-png.18523\/\" target=\"_blank\" rel=\"noopener\" data-lb-sidebar-href=\"\" data-lb-caption-extra-html=\"\" data-fancybox=\"lb-thread-19285\" data-caption=\"&lt;h4&gt;1772534592777.png&lt;\/h4&gt;&lt;p&gt;&lt;a href=&quot;https:&amp;#x2F;&amp;#x2F;whitehat.vn&amp;#x2F;threads&amp;#x2F;poc-cve-2026-20817-lo-hong-leo-thang-dac-quyen-tren-windows-co-the-chiem-quyen-system.19285&amp;#x2F;#post-44833&quot; class=&quot;js-lightboxCloser&quot;&gt;WhiteHat Team \u00b7 03&amp;#x2F;03&amp;#x2F;2026 l\u00fac 5:46 PM&lt;\/a&gt;&lt;\/p&gt;\"><img loading=\"lazy\" decoding=\"async\" class=\"bbImage \" title=\"1772534592777.png\" src=\"https:\/\/whitehat.vn\/data\/attachments\/18\/18858-69c5b131e338131fb8cbf2ed5a87d8e6.jpg\" alt=\"1772534592777.png\" width=\"712\" height=\"400\" \/><\/a>\u200b<\/div>\n<div>\nNh\u00e0 nghi\u00ean c\u1ee9u b\u1ea3o m\u1eadt s\u1eed d\u1ee5ng b\u00ed danh oxfemale (@bytecodevm) \u0111\u00e3 c\u00f4ng b\u1ed1 PoC tr\u00ean GitHub sau khi Microsoft v\u00e1 l\u1ed7i trong b\u1ea3n c\u1eadp nh\u1eadt Patch Tuesday th\u00e1ng 1\/2026. L\u1ed7 h\u1ed5ng \u0111\u01b0\u1ee3c g\u00e1n m\u00e3 CVE-2026-20817, thu\u1ed9c nh\u00f3m CWE-280 (x\u1eed l\u00fd sai quy\u1ec1n h\u1ea1n) v\u00e0 c\u00f3 \u0111i\u1ec3m CVSS 7,8 (High).<br \/>\nV\u1ea5n \u0111\u1ec1 n\u1eb1m trong file &#8220;wersvc.dll&#8221;, th\u01b0 vi\u1ec7n l\u00f5i c\u1ee7a d\u1ecbch v\u1ee5 WER. D\u1ecbch v\u1ee5 n\u00e0y ch\u1ea1y v\u1edbi quy\u1ec1n SYSTEM v\u00e0 giao ti\u1ebfp qua c\u01a1 ch\u1ebf ALPC (Advanced Local Procedure Call).\u200b<\/div>\n<div>Nguy\u00ean nh\u00e2n v\u00e0 c\u01a1 ch\u1ebf khai th\u00e1c\u200b<\/div>\n<div>L\u1ed7 h\u1ed5ng xu\u1ea5t ph\u00e1t t\u1eeb vi\u1ec7c ph\u01b0\u01a1ng th\u1ee9c SvcElevatedLaunch (0x0D) kh\u00f4ng ki\u1ec3m tra \u0111\u1ea7y \u0111\u1ee7 quy\u1ec1n c\u1ee7a ti\u1ebfn tr\u00ecnh g\u1ecdi. K\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 g\u1eedi m\u1ed9t th\u00f4ng \u0111i\u1ec7p ALPC \u0111\u01b0\u1ee3c t\u1ea1o \u0111\u1eb7c bi\u1ec7t, k\u00e8m theo v\u00f9ng nh\u1edb chia s\u1ebb ch\u1ee9a d\u00f2ng l\u1ec7nh t\u00f9y \u00fd.<br \/>\nKhi nh\u1eadn y\u00eau c\u1ea7u, WER:\u200b<\/div>\n<ol>\n<li data-xf-list-type=\"ol\">\n<div>Sao ch\u00e9p handle v\u00f9ng nh\u1edb do k\u1ebb t\u1ea5n c\u00f4ng cung c\u1ea5p\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ol\">\n<div>\u0110\u1ecdc d\u00f2ng l\u1ec7nh t\u1eeb \u0111\u00f3\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ol\">\n<div>Kh\u1edfi ch\u1ea1y ti\u1ebfn tr\u00ecnh m\u1edbi b\u1eb1ng token SYSTEM c\u1ee7a ch\u00ednh n\u00f3\u200b<\/div>\n<\/li>\n<\/ol>\n<div>D\u00f9 c\u00f3 lo\u1ea1i b\u1ecf quy\u1ec1n SeTcbPrivilege, ti\u1ebfn tr\u00ecnh m\u1edbi v\u1eabn gi\u1eef c\u00e1c \u0111\u1eb7c quy\u1ec1n m\u1ea1nh nh\u01b0 SeDebugPrivilege (g\u1ee1 l\u1ed7i b\u1ea5t k\u1ef3 ti\u1ebfn tr\u00ecnh n\u00e0o) v\u00e0 SeImpersonatePrivilege (gi\u1ea3 m\u1ea1o ng\u01b0\u1eddi d\u00f9ng kh\u00e1c). \u0110i\u1ec1u n\u00e0y m\u1edf \u0111\u01b0\u1eddng cho \u0111\u00e1nh c\u1eafp th\u00f4ng tin \u0111\u0103ng nh\u1eadp, c\u00e0i c\u1eeda h\u1eadu ho\u1eb7c chi\u1ebfm quy\u1ec1n to\u00e0n b\u1ed9 h\u1ec7 th\u1ed1ng.<br \/>\nPoC \u0111\u00e3 ch\u1ee9ng minh khai th\u00e1c th\u00e0nh c\u00f4ng tr\u00ean Windows 11 23H2, khi t\u00e0i kho\u1ea3n ng\u01b0\u1eddi d\u00f9ng th\u01b0\u1eddng c\u00f3 th\u1ec3 t\u1ea1o ti\u1ebfn tr\u00ecnh ch\u1ea1y \u1edf m\u1ee9c SYSTEM.\u200b<\/div>\n<div>Ph\u1ea1m vi v\u00e0 m\u1ee9c \u0111\u1ed9 \u1ea3nh h\u01b0\u1edfng\u200b<\/div>\n<div>C\u00e1c h\u1ec7 th\u1ed1ng ch\u01b0a c\u1eadp nh\u1eadt b\u1ea3n v\u00e1 th\u00e1ng 01\/2026 c\u00f3 nguy c\u01a1 b\u1ecb \u1ea3nh h\u01b0\u1edfng, g\u1ed3m:\u200b<\/div>\n<ul>\n<li data-xf-list-type=\"ul\">\n<div>Windows 10\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div>Windows 11\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div>Windows Server 2019\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div>Windows Server 2022\u200b<\/div>\n<\/li>\n<\/ul>\n<div>D\u00f9 ch\u01b0a ghi nh\u1eadn t\u1ea5n c\u00f4ng th\u1ef1c t\u1ebf, vi\u1ec7c PoC \u0111\u00e3 c\u00f4ng khai l\u00e0m t\u0103ng nguy c\u01a1 b\u1ecb l\u1ee3i d\u1ee5ng ngo\u00e0i th\u1ef1c t\u1ebf, \u0111\u1eb7c bi\u1ec7t trong m\u00f4i tr\u01b0\u1eddng doanh nghi\u1ec7p.\u200b<\/div>\n<div>R\u1ee7i ro v\u00e0 h\u1eadu qu\u1ea3\u200b<\/div>\n<div>N\u1ebfu b\u1ecb khai th\u00e1c th\u00e0nh c\u00f4ng, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3:\u200b<\/div>\n<ul>\n<li data-xf-list-type=\"ul\">\n<div>Chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n ho\u00e0n to\u00e0n thi\u1ebft b\u1ecb\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div>\u0110\u00e1nh c\u1eafp d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m v\u00e0 th\u00f4ng tin x\u00e1c th\u1ef1c\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div>T\u1ea1o c\u01a1 ch\u1ebf duy tr\u00ec truy c\u1eadp\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div>Di chuy\u1ec3n ngang trong h\u1ec7 th\u1ed1ng m\u1ea1ng n\u1ed9i b\u1ed9\u200b<\/div>\n<\/li>\n<\/ul>\n<div>V\u1edbi quy\u1ec1n SYSTEM, g\u1ea7n nh\u01b0 kh\u00f4ng c\u00f2n r\u00e0o c\u1ea3n b\u1ea3o m\u1eadt n\u00e0o tr\u00ean m\u00e1y b\u1ecb x\u00e2m nh\u1eadp.\u200b<\/div>\n<div>Ph\u00f2ng tr\u00e1nh v\u00e0 khuy\u1ebfn ngh\u1ecb\u200b<\/div>\n<div>Microsoft \u0111\u00e3 ph\u00e1t h\u00e0nh b\u1ea3n v\u00e1 trong Patch Tuesday th\u00e1ng 1\/2026. C\u00e1c chuy\u00ean gia khuy\u1ebfn ngh\u1ecb:\u200b<\/div>\n<ul>\n<li data-xf-list-type=\"ul\">\n<div>C\u1eadp nh\u1eadt Windows ngay qua Windows Update\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div>Theo d\u00f5i ti\u1ebfn tr\u00ecnh WerFault.exe ho\u1eb7c WerMgr.exe kh\u1edfi ch\u1ea1y v\u1edbi tham s\u1ed1 b\u1ea5t th\u01b0\u1eddng\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div>Gi\u00e1m s\u00e1t s\u1ef1 ki\u1ec7n t\u1ea1o ti\u1ebfn tr\u00ecnh (Event ID 4688)\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div>R\u00e0 so\u00e1t token SYSTEM v\u00e0 ho\u1ea1t \u0111\u1ed9ng leo thang \u0111\u1eb7c quy\u1ec1n\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div>Trong tr\u01b0\u1eddng h\u1ee3p kh\u1ea9n c\u1ea5p c\u00f3 th\u1ec3 t\u1ea1m th\u1eddi v\u00f4 hi\u1ec7u h\u00f3a d\u1ecbch v\u1ee5 WER\u200b<\/div>\n<\/li>\n<\/ul>\n<div>CVE-2026-20817 cho th\u1ea5y m\u1ed9t l\u1ed7 h\u1ed5ng trong th\u00e0nh ph\u1ea7n t\u01b0\u1edfng ch\u1eebng \u201cv\u00f4 h\u1ea1i\u201d nh\u01b0 b\u00e1o c\u00e1o l\u1ed7i h\u1ec7 th\u1ed1ng c\u0169ng c\u00f3 th\u1ec3 tr\u1edf th\u00e0nh c\u1eeda ng\u00f5 chi\u1ebfm quy\u1ec1n cao nh\u1ea5t. Khi m\u00e3 khai th\u00e1c \u0111\u00e3 \u0111\u01b0\u1ee3c c\u00f4ng khai, kho\u1ea3ng c\u00e1ch t\u1eeb nghi\u00ean c\u1ee9u \u0111\u1ebfn t\u1ea5n c\u00f4ng th\u1ef1c t\u1ebf l\u00e0 r\u1ea5t ng\u1eafn. Vi\u1ec7c c\u1eadp nh\u1eadt b\u1ea3n v\u00e1 v\u00e0 gi\u00e1m s\u00e1t h\u00e0nh vi leo thang \u0111\u1eb7c quy\u1ec1n kh\u00f4ng c\u00f2n l\u00e0 khuy\u1ebfn ngh\u1ecb, m\u00e0 l\u00e0 y\u00eau c\u1ea7u b\u1eaft bu\u1ed9c \u0111\u1ec3 b\u1ea3o v\u1ec7 h\u1ec7 th\u1ed1ng Windows tr\u01b0\u1edbc c\u00e1c r\u1ee7i ro ng\u00e0y c\u00e0ng tinh vi.\u200b<\/div>\n","protected":false},"excerpt":{"rendered":"<p>M\u1ed9t m\u00e3 khai th\u00e1c m\u1eabu (PoC) cho l\u1ed7 h\u1ed5ng CVE-2026-20817 v\u1eeba \u0111\u01b0\u1ee3c c\u00f4ng khai, l\u00e0m d\u1ea5y l\u00ean lo ng\u1ea1i v\u1ec1 nguy c\u01a1 leo thang \u0111\u1eb7c quy\u1ec1n tr\u00ean c\u00e1c h\u1ec7 th\u1ed1ng Windows ch\u01b0a k\u1ecbp c\u1eadp nh\u1eadt b\u1ea3n v\u00e1 th\u00e1ng 01\/2026. L\u1ed7 h\u1ed5ng n\u1eb1m trong d\u1ecbch v\u1ee5 Windows Error Reporting (WER) v\u00e0 cho ph\u00e9p ng\u01b0\u1eddi d\u00f9ng c\u00f3 [&hellip;]<\/p>\n","protected":false},"author":20,"featured_media":47442,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"tdm_status":"","tdm_grid_status":"","footnotes":""},"categories":[3,24,35],"tags":[],"class_list":["post-47441","post","type-post","status-publish","format-standard","has-post-thumbnail","category-canh-bao-khuyen-nghi","category-tin-noi-bat","category-tin-tuc-su-kien"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/47441","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/comments?post=47441"}],"version-history":[{"count":1,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/47441\/revisions"}],"predecessor-version":[{"id":47443,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/47441\/revisions\/47443"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/media\/47442"}],"wp:attachment":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/media?parent=47441"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/categories?post=47441"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/tags?post=47441"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}