CVE-2021-1732 Windows本地提权漏洞复现

漏洞描述

在安装MSI程序包时,Windows Installer会建立一个回滚脚本,以防安装失败时可以修复安装过程中进行了一系列修改。

但 Windows Installer 程序中存在漏洞,允许攻击者在安装过程中自定义回滚脚本的执行路径,进而导致Windows使用高权限执行该目标程序,完成权限提升。

攻击者可以通过修改HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ services \ Fax \ ImagePath的值为任意可执行文件路径如c:\Windows\temp\evil.exe,这导致执行攻击者的evil.exe被执行。因为 Fax 服务的特性(高权限,任意用户可启动),借此完成权限提升。

 

受影响系统及应用版本

Windows Server, version 20H2 (Server Core Installation)

Windows 10 Version 20H2 for ARM64-based Systems

Windows 10 Version 20H2 for 32-bit Systems

Windows 10 Version 20H2 for x64-based Systems

Windows Server, version 2004 (Server Core installation)

Windows 10 Version 2004 for x64-based Systems

Windows 10 Version 2004 for ARM64-based Systems

Windows 10 Version 2004 for 32-bit Systems

Windows Server, version 1909 (Server Core installation)

Windows 10 Version 1909 for ARM64-based Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 1909 for 32-bit Systems

Windows Server 2019 (Server Core installation)

Windows Server 2019

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 1809 for 32-bit Systems

Windows 10 Version 1803 for ARM64-based Systems

Windows 10 Version 1803 for x64-based Systems

 

复现过程

exp:https://github.com/shanfenglan/test/blob/master/cve-2021-1732.exe

 

 

 

修复方法

相关安全补丁:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732

posted @ 2021-03-14 15:15  vvan9  阅读(1859)  评论(0编辑  收藏  举报