Windows漏出多个内核提权漏洞，附POC

首先... 这是非常值得重视的安全漏洞。

这两天，Google 安全研究团队一口气报了6个Windows 内核的高危漏洞。当中四个属于读跨界漏洞，一个空指针引用漏洞和一个win32k.sys TTF 字体处理漏洞。

Windows Kernel - Out-of-Bounds Read in nt!MiRelocateImage While Parsing Malformed PE File
Windows Kernel - Out-of-Bounds Read in CI!HashKComputeFirstPageHash While Parsing Malformed PE File
Windows Kernel - Out-of-Bounds Read in nt!MiParseImageLoadConfig While Parsing Malformed PE File
Windows Kernel - Out-of-Bounds Read in CI!CipFixImageType While Parsing Malformed PE File
Windows Kernel - NULL Pointer Dereference in nt!MiOffsetToProtos While Parsing Malformed PE File
Windows Kernel - win32k.sys TTF Font Processing Pool Corruption in win32k!ulClearTypeFilter

#CVE 号

在里面，至少有三个CVE号，影响范围相当的大.

CVE-2019-1341

Windows 提权漏洞

影响范围：Win7及以上全体desktop和server版本的Windows系统。

CVE-2019-1362

Windows Win32k 提权漏洞

影响范围：Win7、Win2008、Win2008R2 及其细分版本。

CVE-2019-1364

Windows Win32k 提权漏洞

影响范围：Win7、Win2008、Win2008R2 及其细分版本。

（除此之外，近日公布漏洞还有一个远程桌面客户端任意代码执行漏洞（CVE-2019-1333））

#漏洞细节

Google 安全研究团队公布了触发漏洞的细节，exploit-db上可以清楚地看到相应的bug触发条件和崩溃日志，以及触发此漏洞的POC。

#1 Windows Kernel - win32k.sys TTF Font Processing Pool Corruption in win32k!ulClearTypeFilter

触发漏洞的细节：

https://www.exploit-db.com/exploits/47484

poc：

https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47484.zip

#2 Windows Kernel - NULL Pointer Dereference in nt!MiOffsetToProtos While Parsing Malformed PE File

触发漏洞的细节：

https://www.exploit-db.com/exploits/47485

poc：

https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47485.zip

#3 Windows Kernel - Out-of-Bounds Read in CI!CipFixImageType While Parsing Malformed PE File

触发漏洞的细节：

https://www.exploit-db.com/exploits/47486

poc：

https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47486.zip

#4 Windows Kernel - Out-of-Bounds Read in nt!MiParseImageLoadConfig While Parsing Malformed PE File

触发漏洞细的节：

https://www.exploit-db.com/exploits/47487

poc：

https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47487.zip

#5 Windows Kernel - Out-of-Bounds Read in CI!HashKComputeFirstPageHash While Parsing Malformed PE File

触发漏洞的细节：

https://www.exploit-db.com/exploits/47488

poc：

https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47488.zip

#6 Windows Kernel - Out-of-Bounds Read in nt!MiRelocateImage While Parsing Malformed PE File

触发漏洞的细节：

https://www.exploit-db.com/exploits/47489

poc：

https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47489.zip

Google团队只提供了能触发漏洞的细节，并没有写相应的利用工具。

鉴于如此高危的漏洞集体蹦了出来，咱可爱的用户们... 赶紧点击Windows更新，打一下补丁...