Microsoft Windows Defender遠程代碼執行漏洞(CVE-2021-1647)復現

2021-02-14 連接世界的暗影
0x01受影響版本

-Microsoft:Microsoft Defender:Windows 8.1 for 32-bit systems

-Microsoft:Microsoft Defender:Windows 7 for x64-based Systems Service Pack 1

-Microsoft:Microsoft Defender:Windows 7 for 32-bit Systems Service Pack 1

-Microsoft:Microsoft Defender:Windows Server 2016 (Server Core installation)

-Microsoft:Microsoft Defender:Windows Server 2016

-Microsoft:Microsoft Defender:Windows 10 Version 1607 for x64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 1607 for 32-bit Systems

-Microsoft:Microsoft Defender:Windows 10 for x64-based Systems

-Microsoft:Microsoft Defender:Windows 10 for 32-bit Systems

-Microsoft:Microsoft Defender:Windows Server, version 20H2 (Server Core Installation)

-Microsoft:Microsoft Defender:Windows 10 Version 20H2 for ARM64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 20H2 for 32-bit Systems

-Microsoft:Microsoft Defender:Windows 10 Version 20H2 for x64-based Systems

-Microsoft:Microsoft Defender:Windows Server, version 2004 (Server Core installation)

-Microsoft:Microsoft Defender:Windows 10 Version 2004 for x64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 2004 for ARM64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 2004 for 32-bit Systems

-Microsoft:Microsoft Defender:Windows Server, version 1909 (Server Core installation)

-Microsoft:Microsoft Defender:Windows 10 Version 1909 for ARM64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 1909 for x64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 1909 for 32-bit Systems

-Microsoft:Microsoft Defender:Windows Server 2019 (Server Core installation)

-Microsoft:Microsoft Defender:Windows Server 2019

-Microsoft:Microsoft Defender:Windows 10 Version 1809 for ARM64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 1809 for x64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 1809 for 32-bit Systems

-Microsoft:Microsoft Defender:Windows 10 Version 1803 for ARM64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 1803 for x64-based Systems

-Microsoft:Microsoft Defender:Windows 10 Version 1803 for 32-bit Systems

-Microsoft:Microsoft System Center 2012 Endpoint Protection

-Microsoft:Microsoft Security Essentials

-Microsoft:Microsoft System Center 2012 R2 Endpoint Protection

-Microsoft:Microsoft System Center Endpoint Protection

-Microsoft:Microsoft Defender:Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

-Microsoft:Microsoft Defender:Windows Server 2008 for 32-bit Systems Service Pack 2

-Microsoft:Microsoft Defender:Windows RT 8.1

-Microsoft:Microsoft Defender:Windows 8.1 for x64-based systems

-Microsoft:Microsoft Defender:Windows Server 2012 R2 (Server Core installation)

-Microsoft:Microsoft Defender:Windows Server 2012 R2

-Microsoft:Microsoft Defender:Windows Server 2012 (Server Core installation)

0x02漏洞描述

Windows Defender 在利用內置模擬執行組件掃描可執行文件時,存在一處堆溢出漏洞。攻擊者可通過向目標受害者發送郵件或惡意連結等方式誘導受害者下載攻擊者構造的惡意文件,從而使 Windows Defender 在自動掃描惡意文件時觸發利用該漏洞,最終控制受害者計算機。

影響面評估

該漏洞導致的威脅非常嚴重,不過由於Windows Defender具有聯網後自動升級補丁的能力,故該漏洞當前造成的危害影響已經不大。

0x03時間線

2021-01-12微軟發布安全更新

2021-01-15暗影安全收集在野利用

2021-01-18藉助朗陣靶場平臺進行復現

0x04漏洞復現

本次爆發的漏洞經過技術團隊的多種測試,復現較為隱蔽,以及破壞性較大的一種傳播方法,所涉及社交軟體無需交互可觸發該漏洞。

聲明:並未對該社交軟體進行測試,漏洞未涉及社交軟體的任意漏洞。

漏洞復現說明:微信收到在野利用會保存在本地,Defender會實時進行掃描,觸發後彈出cmd。

0x05處置建議

針對該漏洞,微軟已發布相關補丁更新,且Windows Defender具有聯網後自動升級補丁的能力,故普通用戶只需要聯網等待Windows Defender自動更新即可。關於該漏洞的官方安全通告如下:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647

參考資料

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647

 

相關焦點