¡¾·ì϶¹«¸æ¡¿Windows InstallerÌáȨ0day»ñµÃ·Ç¹Ù·½²¹¶¡

°ä²¼¹¦·ò 2021-12-10


0x00 ·ì϶¸ÅÊö

CVE     ID


ʱ      ¼ä

2021-12-02

Àà       ÐÍ

ȨÏÞÌáÉý

µÈ      ¼¶

¸ßΣ

Ô¶³ÌÀûÓÃ


Ó°ÏìÁìÓò


¹¥»÷¸´ÔÓ¶È


¿ÉÓÃÐÔ


Óû§½»»¥


ËùÐèȨÏÞ


PoC/EXP

Òѹ«¿ª

ÔÚÒ°ÀûÓÃ

ÊÇ

 

0x01 ·ì϶ÏêÇé

image.png

½üÈÕ£¬Microsoft Windows InstallerÖÐÒ»¸öȨÏÞÌáÉý0day·ì϶±»ÔÚ±»¹¥»÷ÕßÀûÓ᣸÷ì϶¿ÉÄÜʹ¹¥»÷ÕßÌáÉýȨÏÞ²¢ÒÔÖÎÀíԱȨÏÞÔËÐдúÂ룬ӰÏìÁËËùÓÐ Windows °æ±¾£¬Ô̺¬ Windows 11 ºÍ Windows Server 2022£¬²¢ÇÒ´Ë·ì϶µÄPoC/EXPÒÑÔÚ»¥ÁªÍøÉϹ«¿ª¡£

11ÔÂ9ÈÕ£¬Î¢Èí°ä²¼ÁËCVE-2021-41379µÄ°²È«¸üУ¬µ«½¨¸´²¢²»ÃÀÂú¡£×êÑÐÈËÔ±·¢ÏÖͨ¹ýÀûÓà Microsoft Edge Elevation Service µÄ×ÔÓɽӼû½ÚÔìÁбí (DACL) ½«ÏµÍ³ÉϵÄÈκοÉÖ´ÐÐÎļþ´úÌæΪ MSI Îļþ£¬Äܹ»µ¼Ö¹¥»÷ÕßÒÔÖÎÀíÔ±Éí·ÝÔËÐдúÂ롣Ŀǰ΢ÈíÔÝδ°ä²¼´Ë·ì϶µÄ²¹¶¡¡£

¹ÌÈ»¸Ã0day£¨Ä¿Ç°ÔÝÎÞCVE ID£©±»¶à·½ÒýÓÃΪ¶ÔCVE-2021-41379µÄÈƹý£¬µ«×êÑÐÈËÔ±°µÊ¾Çé¿ö²¢·ÇÈç´Ë¡£¸Ã·ì϶ԴÓÚWindows Installer´´½¨»Ø¹öÎļþ£¨.RBF£©µÄ·½Ê½£¬¸ÃÎļþÔÊÐí¸´Ô­×°Öùý³ÌÖÐɾ³ý»òÅú¸ÄµÄÊý¾Ý¡£ÈôÊÇÔÚC:\Windows\Installer\Config.msi * Öд´½¨RBF Îļþ£¬¸ÃÎļþËæºó»á±»Òƶ¯µ½Æô¶¯Óû§Ò»Ê±Îļþ¼ÐÖеÄÒÑÖªµØ룬¶øÔڸõØ룬ÎļþµÄȨÏÞÒ²»á±»Åú¸Ä£¬ÒÔÊÚÓèÓû§Ð´È¨ÏÞ¡£Äܹ»Í¨¹ý´´½¨·ûºÅÁ´½ÓÀ´ÀûÓô˷ì϶£¬ÓÉÓÚWindows InstallerÊÇ×÷Ϊ±¾µØϵͳÔËÐеÄ£¬ÈκοÉÓɱ¾µØϵͳдÈëµÄÎļþ¶¼Äܹ»±»±¾µØÓû§¸²¸Ç²¢³ÉΪ¿ÉдÈëµÄÎļþ¡£

12ÔÂ2ÈÕ£¬0patchƽ̨°ä²¼Á˸÷ì϶µÄ΢²¹¶¡£¬ÒÔһʱ½¨¸´¸Ã·ì϶¡£

 

Ó°ÏìÁìÓò

ËùÓÐ Windows °æ±¾

 

0x02 ´ëÖý¨Òé

ÔÚ΢Èí°ä²¼´Ë·ì϶µÄÕýʽ²¹¶¡Ö®Ç°£¬×îºÃµÄ·ÀÓù´ëÊ©ÊÇÔËÐÐ 0Patch °ä²¼µÄһʱ²¹¶¡£¬ËüÄܹ»¼´Ê±ÀûÓã¬ÇÒ²»±ØÒª³ÁÐÂÆô¶¯»úе¡£µ«0patchƽ̨°ä²¼µÄһʱ²¹¶¡Ä¿Ç°½öÖ§³Ö²¿ÃÅWindows°æ±¾£º

Windows 10 v21H1 (32 & 64 bit) updated with November 2021 Updates

Windows 10 v20H2 (32 & 64 bit) updated with November 2021 Updates

Windows 10 v2004 (32 & 64 bit) updated with November 2021 Updates

Windows 10 v1909 (32 & 64 bit) updated with November 2021 Updates

Windows 10 v1903 (32 & 64 bit) updated with November 2021 Updates

Windows 10 v1809 (32 & 64 bit) updated with May 2021 Updates

Windows 10 v1803 (32 & 64 bit) updated with May 2021 Updates

Windows 10 v1709 (32 & 64 bit) updated with October 2020 Updates

Windows 7 ESU (32 & 64 bit) updated with November 2021 Updates

Windows Server 2019 updated with November 2021 Updates

Windows Server 2016 updated with November 2021 Updates

Windows Server 2012 R2 updated with November 2021 Updates

Windows Server 2012 updated with November 2021 Updates

Windows Server 2008 R2 ESU (32 & 64 bit) updated with November 2021 Updates

ÏÂÔØÁ´½Ó£º

https://0patch.com/

 

0x03 ²Î¿¼Á´½Ó

https://blog.0patch.com/2021/12/free-micropatches-for.html

https://github.com/klinix5/InstallerFileTakeOverPatch

https://blog.talosintelligence.com/2021/11/attackers-exploiting-zero-day.html

https://www.bleepingcomputer.com/news/security/windows-installerfiletakeover-zero-day-bug-gets-free-micropatch/

 

0x04 ¸üа汾

°æ±¾

ÈÕÆÚ

Åú¸ÄÄÚÈÝ

V1.0

2021-12-10

³õ´Î°ä²¼

 

0x05 ¹ØÓÚGA»Æ½ð¼×

GA»Æ½ð¼×¼ò½é

GA»Æ½ð¼×¹«Ë¾³ÉÁ¢ÓÚ1996Ä꣬²¢ÓÚ2010Äê6ÔÂ23ÈÕÔÚÉî½»ËùÖÐÓ×°åÕýʽ¹ÒÅÆÉÏÊУ¬ÊǹúÄÚ×î¾ßʵÁ¦µÄÐÅÏ¢°²È«²úÆ·ºÍ°²È«ÖÎÀíƽ̨¡¢°²È«·þÎñÓë½â¾ö¹æ»®µÄÁ캽ÆóÒµÖ®Ò»¡£

¹«Ë¾×ܲ¿Î»ÓÚ±±¾©ÊÐÖйشåÈí¼þÔ°£¬ÔÚÈ«¹ú¸÷Ê¡¡¢ÊÓ×¢×ÔÖÎÇøÉèÁ¢·ÖÖ§»ú¹¹ÁùÊ®¶à¸ö£¬Õ¼Óи²¸ÇÈ«¹úµÄÏúÊÛϵͳ¡¢Çþ·ϵͳºÍ¼¼ÊõÖ§³Öϵͳ£»²¢ÔÚ»ª±±¡¢»ª¶«¡¢Î÷ÄϺͻªÄϲ¼¾ÖËÄ´óÑз¢ÖÐÐÄ£¬±ðÀëΪ±±¾©Ñз¢×ܲ¿¡¢ÉϺ£Ñз¢ÖÐÐÄ¡¢³É¶¼Ñз¢ÖÐÐĺ͹ãÖÝÑз¢ÖÐÐÄ¡£

¶àÄêÀ´£¬GA»Æ½ð¼×ÖÂÁ¦ÓÚÌṩӵÓйú¼Ê¾ºÕùÁ¦µÄ×ÔÖ÷´´Ðµİ²È«²úÆ·ºÍ×î¼Ñʵ¼Ê·þÎñ£¬Ô®ÊÖ¿Í»§È«ÃæÌáÉýÆäIT»ù´¡ÉèÊ©µÄ°²È«ÐԺͳö²úЧÁ¦£¬Îª´òÔìºÍÌáÉý¹ú¼Ê»¯µÄÃñ×åÐÅÏ¢°²È«²úÒµÁì¾üÆ·Åƶø²»Ð¸ÖÂÁ¦¡£

 

¹ØÓÚGA»Æ½ð¼×

GA»Æ½ð¼×°²È«Ó¦¼±ÏìÓ¦ÖÐÐÄÖØÒªÕë¶Ô³ÁÒª°²È«·ì϶µÄÔ¤¾¯¡¢¸ú×ٺͷÖÏíÈ«Çò×îеÄÍþвµý±¨ºÍ°²È«»ã±¨¡£

¹Ø×¢ÒÔϹ«¼ÒºÅ£¬»ñÈ¡È«Çò×îа²È«×ÊѶ£º

image.png