Windows emergency response and system reinforcement (6)


Introduction and analysis of windows high risk vulnerabilities over the years

1、 Vulnerability introduction:

1. Vulnerability:

<1> Vulnerability: an important factor affecting network security;

<2> . vulnerability exploitation: become the most common means of malicious attacks;

<3> Vulnerability attack: industrialization, low cost, means diversification, low threshold trend;

<4> Information age: both individuals and enterprises are faced with severe vulnerability threat;

<5> . windows, office, ie, edge, flash and other high-risk vulnerabilities are frequently exposed.

2. Windows vulnerability:

<1> . ms08-067 rce vulnerability;

<2> . ms12-020 DOS / blue screen / rce vulnerability;

<3> . ms15-034 HTTP sys rce vulnerability;

    <4>.MS16-114 SMB RCE;

<5> . 2017: wannacry blackmail virus, ms17-010 Eternal Blue vulnerability, meltdown / spectrum CPU feature vulnerability, hacker Oscar hole, formula editor vulnerability, cve-2017-7269 IIS rce vulnerability;

<6> . 2018: Ghost, CPU failure, earthquake network 3, 412 hanging horse storm;

<7> . 2019: cve-2019-0708 remote desktop rce vulnerability;

2、 Chart view vulnerability trend

1. In recent years, the number of windows vulnerability submission is increasing year by year. 2018, 2019, the outbreak period, the year of extreme test for the network security industry.


2. Microsoft product vulnerability classification statistics:


3. Windows vulnerability attack and exploitation: virus distribution & exploited vulnerability distribution: non PE (e-mail phishing office macro virus, script class), more difficult to detect, accounting for 66%:


3、 Famous high risk vulnerabilities of windows over the years

Every time windows is disclosed to the public, the outbreak of high-risk vulnerabilities will cause an uproar in the whole society and affect various industries, all because of the application of windows system and various production and service fields.


<1> . vulnerability information:

Ms08-067 (cve-2008-4250), a milestone windows SMB vulnerability with far-reaching influence, is one of the most classic vulnerabilities. In the hacker exploitation program leaked by shadow brokers in 2017, there was ms08-067 vulnerability, and ms08-067 (cve-2008-4250) is a typical one

Windows Buffer Overflow Vulnerability. At that time, windows memory stack protection (ASLR Technology) was not mature.

The vulnerability is triggered by calling netpathcanonicalize function in server service program through MS RPC over SMB channel (pipe). When the netpathcanonicalize function remotely accesses other hosts, it will call the netpwpathcanonicalize function to standardize the path of remote access

However, the logic error in the netpwpathcanonicalize function causes the stack buffer to overflow and finally rce (remote command / code execute).

If it causes a large area of impact, you can obtain system permission, completely control windows, and create malicious attacks such as worm virus, blackmail virus, remote control Trojan horse, etc.

<2> Affected components: svchost.exe netapi32.dll。

<3> . official announcement:

<4> . check the patch:

      wmic qfe GET hotfixid | findstr /C:”KB958644″


<1> . vulnerability information:

Multiple windows SMB remote execution code (RCE) vulnerabilities exist when the Microsoft Server Message Block 1.0 (smbv1, file sharing protocol vulnerability) server processes certain requests. An attacker who successfully exploits these vulnerabilities can obtain the ability to execute on the target system

The ability to code. To exploit this vulnerability, in most cases, an unauthenticated attacker may send specially designed packets to the target smbv1 server.

In the past two years, the “eternal blue” vulnerability has become one of the most exploited security vulnerabilities. Malicious attacks take advantage of the “eternal blue” vulnerability to spread worm like blackmail virus. The “eternal blue” has opened a new era of blackmail virus.

Note: wannacry blackmail virus, malicious attackers use the eternal blue vulnerability released by the shadow brokers to blackmail

More than 230000 hosts have been infected by viruses and worms all over the world. At present, there are still variant viruses.     、

<2> Scope of influence:

      Windows XP、2003、Windows7、Windows Server 2008 R2、Windows8.1、Windows Server2012、Windows10、Windows Server 2016

<3> Performance: infected with blackmail virus, file damage.

<4> . official announcement:

<5> . check the patch:

      wmic qfe GET hotfixid | findstr /C:”KB4012212″

3. Cve-2018-8174 / cve-2018-8893: ie double kill 0day, high risk vulnerability:

<1> . vulnerability information:

Word documents are embedded into malicious web pages through OLE AutoLink vulnerability exploitation of cve-2017-0199, and all vulnerability exploitation codes and malicious loads are loaded through remote server. After the successful user clicks to open the bait document, the word process will first access the remote ie VBScript 0day (CVE)-

2018-8174) web page, after the vulnerability is triggered, shellcode will be executed, and then multiple requests will be launched to obtain the payload data from the remote server for decryption execution; during the execution of payload, word process will release three DLL backdoors locally, and install the backdoor through the command of PowerShell and rundll32 respectively

The implementation process of the program and backdoor uses the open UAC bypass technology, and uses the file steganography technology and memory reflection loading method to avoid traffic monitoring and realize no file landing loading.

Using the 0day vulnerability, apt attacks were carried out on IE kernel browser and office (e.g. apt-c-06 organization, dormant and monitored for a long time in the fields of Chinese government, scientific research and foreign trade); the latest version of IE browser and applications using IE kernel. When browsing web pages or opening office documents, the user should

May be in recruit, be implanted by hacker eventually backdoor Trojan horse controls computer completely.

Multiple UAF (use after free release rereference vulnerability) is used to complete type obfuscation. Arbitrary address is read and written by forging array objects. Finally, code execution is obtained by constructing objects and releasing them. Code execution does not use the traditional ROP (return oriented programming)

Programming) or godmode (a simple folder window hidden in nt6 system contains almost all system settings), but it is used stably through script layout shellcode.



<2> . official introduction:

<3> . check the patch:

      wmic qfe GET hotfixid | findstr /C:”KB4134651″

<4> Because the first generation patch did not completely solve the problem, the new vulnerabilities derived from it are as follows:

Cve-2018-8242, ie double kill, second generation 0day vulnerability;

Cve-2018-8373, ie double kill, third generation 0day vulnerability;




<1> . vulnerability information:

On May 14, 2019, windows Remote Desktop Services (TCP / UDP 3389 RDP) has a serious security vulnerability (huge destructive power). It uses pre authentication without user authorization to execute arbitrary code (RCE), install backdoor, view and tamper with privacy data

It is reported that the creation of a new account with full user rights and other attacks can completely control the target computer. The vulnerability can be used to make wannacry worm like viruses that can be comparable to those sweeping the world in 2017 for large-scale spread and destruction;

<2> . affect system version:

      Windows XP(KB4500331)、Windows 2003(KB4500331)、Vista(KB4499180)、2008/2008 R2( KB4499180)、Windows 7(KB4499175)。

<3> . official information:

<4> . free testing tools:

<5> . vulnerability detection:

      wmic qfe GET hotfixid | findstr /C:”KB4499175″

Note: open the windows command line interface, enter “regedit” to open the registry — > you can view and modify the port number in the following two ways:








Note: all the instructions for detecting the existence of the patch in this paper are: wmic QFE get hotfix | findstr / C: “X”. If the instruction exists, the patch “X” will rebound, otherwise it will not be displayed.