Windows Installer 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1926715 漏洞类型 其他
发布时间 2020-02-18 更新时间 2020-02-18
CVE编号 CVE-2020-0683 CNNVD-ID CNNVD-202002-545
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2020020088
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202002-545
|漏洞详情
Microsoft Windows是美国微软(Microsoft)公司的一套个人设备使用的操作系统。 Microsoft Windows Installer中存在提权漏洞。攻击者可利用该漏洞绕过访问限制来添加或删除文件。以下产品及版本受到影响:Windows 7,Windows 8.1,Windows RT 8.1,Windows 10,Windows Server 2008,Windows Server 2008 R2,Windows Server 2012,Windows Server 2012 R2,Windows Server 2016,Windows Server 2019,Windows 10版本1607,Windows 10版本1709,Windows 10版本1803,Windows 10版本1809,Windows 10版本1903,Windows 10版本1909,Windows Server版本1803,Windows Server版本1903,Windows Server版本1909。
|漏洞EXP
# Exploit Title:  MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation
# Author: nu11secur1ty
# Date: 2020-02-14
# Vendor: Microsoft
# Link: https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty
# CVE: CVE-2020-0683


[+] Credits: Ventsislav Varbanovski (@ nu11secur1ty)
[+] Website: https://www.nu11secur1ty.com/
[+] Source:  readme from GitHUB
[+] twitter.com/nu11secur1ty


[Exploit Program]
Link:
https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty


[Vendor]
Microsoft


[Vulnerability Type]
Windows Installer Elevation of Privilege Vulnerability

[CVE Reference]

An elevation of privilege vulnerability exists in the Windows Installer
when MSI packages process symbolic links. An attacker who successfully
exploited this vulnerability could bypass access restrictions to add or
remove files.

To exploit this vulnerability, an attacker would first have to log on to
the system. An attacker could then run a specially crafted application that
could exploit the vulnerability and add or remove files.

The security update addresses the vulnerability by modifying how to reparse
points are handled by the Windows Installer.


[Security Issue]
Elevation of Privilege from user to C:\Windows\administartion execution
files


[References]

# CVE-2020-0683
Original Poc sent to MSRC.
Assigned to CVE-2020-0683 - Windows Installer Elevation of Privilege
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0683

Source code for Visual Studio C++ 2019

Inside "nu11secur1ty" you'll find the exploit (exe) to execute.

# Note:

This test is using `system.ini` in c:\Windows\system.ini
When you exploit this file you should replace with the original file
`system.ini` after this test, which you will find in CVE-2020-0683
directory :)

--------------------------------------------------------------------------

- - How to run the exploit

Go into "nu11secur1ty" directory and from a cmd console launch:

- for the test

MsiExploit.exe  c:\Windows\system.ini"

Be sure that both "MsiExploit.exe" and "foo.msi" reside in the same directory.

- Disclaimer:

 The entry creation date may reflect when the CVE ID was allocated or
reserved, and does not necessarily indicate when this vulnerability
was discovered, shared with the affected vendor, publicly disclosed,
or updated in CVE.


- @nu11secur1ty


[Network Access]
Local


[Disclosure Timeline]
02/11/2020

[Disclaimer]

 The entry creation date may reflect when the CVE ID was allocated or
reserved, and does not necessarily indicate when this vulnerability
was discovered, shared with the affected vendor, publicly disclosed,
or updated in CVE.


nu11secur1ty
--
|参考资料

来源:portal.msrc.microsoft.com

链接:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0683


来源:portal.msrc.microsoft.com

链接:https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2020-0683


来源:nvd.nist.gov

链接:https://nvd.nist.gov/vuln/detail/CVE-2020-0683