¡¾Îó²îͨ¸æ¡¿Windows InstallerÌáȨ0day»ñµÃ·Ç¹Ù·½²¹¶¡

Ðû²¼Ê±¼ä 2021-12-10


0x00 Îó²î¸ÅÊö

CVE     ID


ʱ      ¼ä

2021-12-02

Àà       ÐÍ

ȨÏÞÌáÉý

µÈ      ¼¶

¸ßΣ

Ô¶³ÌʹÓÃ


Ó°Ïì¹æÄ£


¹¥»÷ÖØƯºó


¿ÉÓÃÐÔ


Óû§½»»¥


ËùÐèȨÏÞ


PoC/EXP

ÒѹûÕæ

ÔÚҰʹÓÃ

ÊÇ

 

0x01 Îó²îÏêÇé

image.png

¿ËÈÕ£¬£¬£¬£¬ £¬£¬£¬Microsoft Windows InstallerÖÐÒ»¸öȨÏÞÌáÉý0dayÎó²î±»ÕýÔÚ±»¹¥»÷ÕßʹÓᣠ¡£¡£¡£¸ÃÎó²îÄܹ»Ê¹¹¥»÷ÕßÌáÉýȨÏÞ²¢ÒÔÖÎÀíԱȨÏÞÔËÐдúÂ룬£¬£¬£¬ £¬£¬£¬Ó°ÏìÁËËùÓÐ Windows °æ±¾£¬£¬£¬£¬ £¬£¬£¬°üÀ¨ Windows 11 ºÍ Windows Server 2022£¬£¬£¬£¬ £¬£¬£¬²¢ÇÒ´ËÎó²îµÄPoC/EXPÒÑÔÚ»¥ÁªÍøÉϹûÕæ¡£ ¡£¡£¡£

11ÔÂ9ÈÕ£¬£¬£¬£¬ £¬£¬£¬Î¢ÈíÐû²¼ÁËCVE-2021-41379µÄÇå¾²¸üУ¬£¬£¬£¬ £¬£¬£¬µ«ÐÞ¸´²¢²»ÍêÉÆ¡£ ¡£¡£¡£Ñо¿Ö°Ô±·¢Ã÷ͨ¹ýʹÓà Microsoft Edge Elevation Service µÄ×ÔÓÉ»á¼û¿ØÖÆÁбí (DACL) ½«ÏµÍ³ÉϵÄÈκοÉÖ´ÐÐÎļþÌ滻Ϊ MSI Îļþ£¬£¬£¬£¬ £¬£¬£¬¿ÉÒÔµ¼Ö¹¥»÷ÕßÒÔÖÎÀíÔ±Éí·ÝÔËÐдúÂë¡£ ¡£¡£¡£ÏÖÔÚ΢ÈíÔÝδÐû²¼´ËÎó²îµÄ²¹¶¡¡£ ¡£¡£¡£

ËäÈ»¸Ã0day£¨ÏÖÔÚÔÝÎÞCVE ID£©±»¶à·½ÒýÓÃΪ¶ÔCVE-2021-41379µÄÈƹý£¬£¬£¬£¬ £¬£¬£¬µ«Ñо¿Ö°Ô±ÌåÏÖÇéÐβ¢·ÇÔÆÔÆ¡£ ¡£¡£¡£¸ÃÎó²îÔ´ÓÚWindows Installer½¨Éè»Ø¹öÎļþ£¨.RBF£©µÄ·½·¨£¬£¬£¬£¬ £¬£¬£¬¸ÃÎļþÔÊÐí»Ö¸´×°ÖÃÀú³ÌÖÐɾ³ý»òÐ޸ĵÄÊý¾Ý¡£ ¡£¡£¡£ÈôÊÇÔÚC:\Windows\Installer\Config.msi * Öн¨ÉèRBF Îļþ£¬£¬£¬£¬ £¬£¬£¬¸ÃÎļþËæºó»á±»Òƶ¯µ½Æô¶¯Óû§ÔÝʱÎļþ¼ÐÖеÄÒÑ֪λÖ㬣¬£¬£¬ £¬£¬£¬¶øÔÚ¸ÃλÖ㬣¬£¬£¬ £¬£¬£¬ÎļþµÄȨÏÞÒ²»á±»Ð޸ģ¬£¬£¬£¬ £¬£¬£¬ÒÔÊÚÓèÓû§Ð´È¨ÏÞ¡£ ¡£¡£¡£¿£¿ £¿£¿£¿ÉÒÔͨ¹ý½¨Éè·ûºÅÁ´½ÓÀ´Ê¹ÓôËÎó²î£¬£¬£¬£¬ £¬£¬£¬ÓÉÓÚWindows InstallerÊÇ×÷ΪÍâµØϵͳÔËÐеģ¬£¬£¬£¬ £¬£¬£¬ÈκοÉÓÉÍâµØϵͳдÈëµÄÎļþ¶¼¿ÉÒÔ±»ÍâµØÓû§ÁýÕÖ²¢³ÉΪ¿ÉдÈëµÄÎļþ¡£ ¡£¡£¡£

12ÔÂ2ÈÕ£¬£¬£¬£¬ £¬£¬£¬0patchƽ̨Ðû²¼Á˸ÃÎó²îµÄ΢²¹¶¡£ ¡£¡£¡£¬£¬£¬£¬ £¬£¬£¬ÒÔÔÝʱÐÞ¸´¸ÃÎó²î¡£ ¡£¡£¡£

 

Ó°Ïì¹æÄ£

ËùÓÐ Windows °æ±¾

 

0x02 ´¦Öóͷ£½¨Òé

ÔÚ΢ÈíÐû²¼´ËÎó²îµÄÕýʽ²¹¶¡Ö®Ç°£¬£¬£¬£¬ £¬£¬£¬×îºÃµÄ·ÀÓù²½·¥ÊÇÔËÐÐ 0Patch Ðû²¼µÄÔÝʱ²¹¶¡£ ¡£¡£¡£¬£¬£¬£¬ £¬£¬£¬Ëü¿ÉÒÔ¼´Ê±Ó¦Ó㬣¬£¬£¬ £¬£¬£¬ÇÒ²»ÐèÒªÖØÐÂÆôÄîͷе¡£ ¡£¡£¡£µ«0patchƽ̨Ðû²¼µÄÔÝʱ²¹¶¡ÏÖÔÚ½öÖ§³Ö²¿·ÖWindows°æ±¾£º

Windows 10 v21H1 (32 & 64 bit) updated with November 2021 Updates

Windows 10 v20H2 (32 & 64 bit) updated with November 2021 Updates

Windows 10 v2004 (32 & 64 bit) updated with November 2021 Updates

Windows 10 v1909 (32 & 64 bit) updated with November 2021 Updates

Windows 10 v1903 (32 & 64 bit) updated with November 2021 Updates

Windows 10 v1809 (32 & 64 bit) updated with May 2021 Updates

Windows 10 v1803 (32 & 64 bit) updated with May 2021 Updates

Windows 10 v1709 (32 & 64 bit) updated with October 2020 Updates

Windows 7 ESU (32 & 64 bit) updated with November 2021 Updates

Windows Server 2019 updated with November 2021 Updates

Windows Server 2016 updated with November 2021 Updates

Windows Server 2012 R2 updated with November 2021 Updates

Windows Server 2012 updated with November 2021 Updates

Windows Server 2008 R2 ESU (32 & 64 bit) updated with November 2021 Updates

ÏÂÔØÁ´½Ó£º

https://0patch.com/

 

0x03 ²Î¿¼Á´½Ó

https://blog.0patch.com/2021/12/free-micropatches-for.html

https://github.com/klinix5/InstallerFileTakeOverPatch

https://blog.talosintelligence.com/2021/11/attackers-exploiting-zero-day.html

https://www.bleepingcomputer.com/news/security/windows-installerfiletakeover-zero-day-bug-gets-free-micropatch/

 

0x04 ¸üа汾

°æ±¾

ÈÕÆÚ

ÐÞ¸ÄÄÚÈÝ

V1.0

2021-12-10

Ê×´ÎÐû²¼

 

0x05 ¹ØÓÚ¼øºÚµ£±£Íø

¼øºÚµ£±£Íø¼ò½é

¼øºÚµ£±£Íø¹«Ë¾½¨ÉèÓÚ1996Ä꣬£¬£¬£¬ £¬£¬£¬²¢ÓÚ2010Äê6ÔÂ23ÈÕÔÚÉî½»ËùÖÐС°åÕýʽ¹ÒÅÆÉÏÊУ¬£¬£¬£¬ £¬£¬£¬ÊǺ£ÄÚ×î¾ßʵÁ¦µÄÐÅÏ¢Çå¾²²úÆ·ºÍÇå¾²ÖÎÀíƽ̨¡¢Ç徲ЧÀÍÓë½â¾ö¼Æ»®µÄÁ캽ÆóÒµÖ®Ò»¡£ ¡£¡£¡£

¹«Ë¾×ܲ¿Î»ÓÚ±±¾©ÊÐÖйشåÈí¼þÔ°£¬£¬£¬£¬ £¬£¬£¬ÔÚÌìϸ÷Ê¡¡¢ÊС¢×ÔÖÎÇøÉèÁ¢·ÖÖ§»ú¹¹ÁùÊ®¶à¸ö£¬£¬£¬£¬ £¬£¬£¬ÓµÓÐÁýÕÖÌìϵÄÏúÊÛϵͳ¡¢ÇþµÀϵͳºÍÊÖÒÕÖ§³Öϵͳ£»£»£»²¢ÔÚ»ª±±¡¢»ª¶«¡¢Î÷ÄϺͻªÄϽṹËÄ´óÑз¢ÖÐÐÄ£¬£¬£¬£¬ £¬£¬£¬»®·ÖΪ±±¾©Ñз¢×ܲ¿¡¢ÉϺ£Ñз¢ÖÐÐÄ¡¢³É¶¼Ñз¢ÖÐÐĺ͹ãÖÝÑз¢ÖÐÐÄ¡£ ¡£¡£¡£

¶àÄêÀ´£¬£¬£¬£¬ £¬£¬£¬¼øºÚµ£±£ÍøÖÂÁ¦ÓÚÌṩ¾ßÓйú¼Ê¾ºÕùÁ¦µÄ×ÔÖ÷Á¢ÒìµÄÇå¾²²úÆ·ºÍ×î¼Ñʵ¼ùЧÀÍ£¬£¬£¬£¬ £¬£¬£¬×ÊÖú¿Í»§ÖÜÈ«ÌáÉýÆäIT»ù´¡ÉèÊ©µÄÇå¾²ÐÔºÍÉú²úЧÄÜ£¬£¬£¬£¬ £¬£¬£¬Îª´òÔìºÍÌáÉý¹ú¼Ê»¯µÄÃñ×åÐÅÏ¢Çå¾²¹¤ÒµÁì¾üÆ·Åƶø²»Ð¸Æ𾢡£ ¡£¡£¡£

 

¹ØÓÚ¼øºÚµ£±£Íø

¼øºÚµ£±£ÍøÇå¾²Ó¦¼±ÏìÓ¦ÖÐÐÄÖ÷ÒªÕë¶ÔÖ÷ÒªÇå¾²Îó²îµÄÔ¤¾¯¡¢¸ú×ٺͷÖÏíÈ«Çò×îеÄÍþвÇ鱨ºÍÇå¾²±¨¸æ¡£ ¡£¡£¡£

¹Ø×¢ÒÔϹ«Öںţ¬£¬£¬£¬ £¬£¬£¬»ñÈ¡È«Çò×îÐÂÇå¾²×ÊѶ£º

image.png