漏洞描述
在安裝MSI程序包時,Windows Installer會建立一個回滾腳本,以防安裝失敗時可以修復安裝過程中進行了一系列修改。
但 Windows Installer 程序中存在漏洞,允許攻擊者在安裝過程中自定義回滾腳本的執行路徑,進而導致Windows使用高權限執行該目標程序,完成權限提升。
攻擊者可以通過修改HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ services \ Fax \ ImagePath的值為任意可執行文件路徑如c:\Windows\temp\evil.exe,這導致執行攻擊者的evil.exe被執行。因為 Fax 服務的特性(高權限,任意用戶可啟動),借此完成權限提升。
受影響系統及應用版本
Windows Server, version 20H2 (Server Core Installation)
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server, version 2004 (Server Core installation)
Windows 10 Version 2004 for x64-based Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for 32-bit Systems
Windows Server, version 1909 (Server Core installation)
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1803 for x64-based Systems
復現過程
exp:https://github.com/shanfenglan/test/blob/master/cve-2021-1732.exe
修復方法
相關安全補丁:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732