一、漏洞描述

Wallet Service是电子钱包客户端所使用的一个服务模块，只存在于windows10和windows server中。

2020年7月14日，微软发布安全更新，修补漏洞。2020年7月17日，github上出现POC。

二、影响范围

受影响版本型号：

Windows 10 for 32-bit Systems  

Windows 10 for x64-based Systems  

Windows 10 Version 1607 for 32-bit Systems

Windows 10 Version 1607 for x64-based Systems  

Windows 10 Version 1709 for 32-bit Systems  

Windows 10 Version 1709 for ARM64-based Systems  

Windows 10 Version 1709 for x64-based Systems  

Windows 10 Version 1803 for 32-bit Systems  

Windows 10 Version 1803 for ARM64-based Systems  

Windows 10 Version 1803 for x64-based Systems  

Windows 10 Version 1809 for 32-bit Systems  

Windows 10 Version 1809 for ARM64-based Systems  

Windows 10 Version 1809 for x64-based Systems  

Windows 10 Version 1903 for 32-bit Systems  

Windows 10 Version 1903 for ARM64-based Systems  

Windows 10 Version 1903 for x64-based Systems

Windows 10 Version 1909 for 32-bit Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 2004 for 32-bit Systems

Windows 10 Version 2004 for ARM64-based Systems

Windows 10 Version 2004 for x64-based Systems

Windows Server 2016

Windows Server 2016 (Server Core installation)

Windows Server 2019

Windows Server 2019 (Server Core installation)

Windows Server, version 1903 (Server Core installation)

Windows Server, version 1909 (Server Core installation)

Windows Server, version 2004 (Server Core installation)

三、漏洞分析

Wallet Service实现在walletservice.dll中，其中漏洞出现在服务模块里的Wallet函数中，由于函数对用户的出入没有进行检测，导致攻击者可以写入任意值到可控的地址，从而可以覆盖堆上的虚表指针来控制程序流，最终导致权限提升。

四、修复建议

目前，微软官方已经发布修正补丁，请前往官网及时更新：

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1362