0x00 漏洞背景

2019年8月13日，google安全研究员Tavis Ormandy发布博客披露了windows操作系统中CTF协议存在了多年的漏洞。

0x01 漏洞详情

google安全研究员Tavis Ormandy在Windows文本服务框架(MSCTF)中发现了一些从Windows XP开始就存在的设计缺陷。已登录Windows系统的攻击者可以利用漏洞获得SYSTEM权限。Ormandy还在YouTube上发布了一个视频演示，通过利用该协议劫持系统用来显示登录屏幕的Windows LogonUI程序来在Windows中获得SYSTEM权限。

微软目前已经发布编号为CVE-2019-1162的安全补丁解决了Windows操作系统高级本地过程调用(ALPC)中相关的问题，目前尚不清楚是否还会发布针对其它组件的补丁来修补MSCTF。

0x02 影响版本

CVE-2019-1162受影响的版本如下：

Windows 10 for 32-bit Systems

Windows 10 for x64-based Systems

Windows 10 Version 1607 for 32-bit Systems

Windows 10 Version 1607 for x64-based Systems

Windows 10 Version 1703 for 32-bit Systems

Windows 10 Version 1703 for x64-based Systems

Windows 10 Version 1709 for 32-bit Systems

Windows 10 Version 1709 for 64-based Systems

Windows 10 Version 1709 for ARM64-basedSystems

Windows 10 Version 1803 for 32-bit Systems

Windows 10 Version 1803 for ARM64-basedSystems

Windows 10 Version 1803 for x64-based Systems

Windows 10 Version 1809 for 32-bit Systems

Windows 10 Version 1809 for ARM64-basedSystems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 1903 for 32-bit Systems

Windows 10 Version 1903 for ARM64-basedSystems

Windows 10 Version 1903 for x64-based Systems

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems Service Pack1

Windows 8.1 for 32-bit systems

Windows 8.1 for x64-based systems

Windows RT 8.1

Windows Server 2008 for 32-bit SystemsService Pack 2

Windows Server 2008 for 32-bit SystemsService Pack 2 (Server Core installation)

Windows Server 2008 for Itanium-Based SystemsService Pack 2

Windows Server 2008 for x64-based SystemsService Pack 2

Windows Server 2008 for x64-based SystemsService Pack 2 (Server Core installation)

Windows Server 2008 R2 for Itanium-BasedSystems Service Pack 1

Windows Server 2008 R2 for x64-based SystemsService Pack 1

Windows Server 2008 R2 for x64-based SystemsService Pack 1 (Server Core installation)

Windows Server 2012

Windows Server 2012 (Server Coreinstallation)

Windows Server 2012 R2

Windows Server 2012 R2 (Server Coreinstallation)

Windows Server 2016

Windows Server 2016 (Server Coreinstallation)

Windows Server 2019

Windows Server 2019 (Server Coreinstallation)

Windows Server, version 1803 (Server CoreInstallation)

Windows Server, version 1903 (Server Coreinstallation)

0x03 修复建议

目前漏洞利用相关代码已经公开，360CERT建议通过安装360安全卫士(http://weishi.360.cn)进行一键更新。应及时进行Microsoft Windows版本更新并且保持Windows自动更新开启，也可以通过下载参考链接中的软件包，手动进行升级。

0x04 时间线

2019-08-14 微软官方发布安全公告

2019-08-16 360CERT发布预警

0x05 参考链接

1. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1162
2. https://googleprojectzero.blogspot.com/2019/08/down-rabbit-hole.html