CVE-2025-30518

// CVE-2025-30518 PoC - Intel PresentMon权限提升漏洞演示 // 注意：此代码仅用于安全研究和漏洞理解 #include <windows.h> #include <aclapi.h> #include <stdio.h> void CheckPresentMonPermissions() { const char* presentMonPaths[] = { "C:\\Program Files\\Intel\\PresentMon", "C:\\Program Files (x86)\\Intel\\PresentMon", "C:\\Users\\Public\\PresentMon" }; printf("[*] Checking Intel PresentMon installation permissions...\n"); for (int i = 0; i < 3; i++) { PSECURITY_DESCRIPTOR pSD = NULL; PACL pDACL = NULL; DWORD dwResult = GetSecurityInfo( GetTrustedToolInfo(presentMonPaths[i]), SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pDACL, NULL, &pSD ); if (dwResult == ERROR_SUCCESS && pDACL) { // Check if Everyone or Users group has full control ACL_SIZE_INFORMATION aclSize; if (GetAclInformation(pDACL, &aclSize, sizeof(aclSize), AclSizeInformation)) { for (DWORD i = 0; i < aclSize.AceCount; i++) { LPVOID pAce = NULL; if (GetAce(pDACL, i, &pAce)) { PSID pSid = (PSID)&((PACCESS_ALLOWED_ACE)pAce)->SidStart; char szName[256], szDomain[256]; DWORD dwNameSize = 256, dwDomainSize = 256; SID_NAME_USE peUse; if (LookupAccountSid(NULL, pSid, szName, &dwNameSize, szDomain, &dwDomainSize, &peUse)) { printf("[*] Found ACE: %s\\%s\n", szDomain, szName); // Check for excessive permissions ACCESS_MASK mask = ((PACCESS_ALLOWED_ACE)pAce)->Mask; if ((mask & FILE_ALL_ACCESS) == FILE_ALL_ACCESS) { printf("[!] VULNERABLE: Full control permissions found!\n"); printf("[!] This may allow privilege escalation via PresentMon\n"); } } } } } } if (pSD) LocalFree(pSD); } printf("[*] Analysis complete. Upgrade to PresentMon >= 2.3.1 to fix.\n"); } int main() { printf("CVE-2025-30518 Intel PresentMon Permission Check\n"); printf("==============================================\n"); CheckPresentMonPermissions(); return 0; }

{"cve": {"id": "CVE-2025-30518", "sourceIdentifier": "[email protected]", "published": "2025-11-11T17:15:47.433", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect default permissions for some Intel(R) PresentMon before version 2.3.1 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-276"}]}], "references": [{"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01392.html", "source": "[email protected]"}]}}