CIRT.GY | Windows Vulnerability Allows Privilege Escalation

Windows Vulnerability Allows Privilege Escalation (31st January 2022)

Ref# AL2022_06 | Date: Jan 31st 2022

Description

Security researchers have discovered a vulnerability that affects all supported versions of windows 10 before the January 2022 Patch Tuesday updates. The Windows local privilege elevation flaw allows anyone to gain administrator privileges in Windows 10.

Summary

Any malicious threat actor with limited access to a device that hasn”t gotten this month”s update can simply elevate their rights to assist propagate laterally inside the network, establish new administrator users, or execute privileged commands using this vulnerability.

How it works

The threat actor can use the user mode to call the appropriate Graphical User Interface (GUI) API to make the kernel call, such as xxxMenuWindowProc, xxxSBWndProc, xxxSwitchWndProc, xxxTooltipWndProc, and so on. The callback xxxClientAllocWindowClassExtraBytes will be triggered by these kernel functions. Through the KernelCallbackTable hook xxxClientAllocWindowClassExtraBytes, threat actors can intercept this callback and utilize the NtUserConsoleControl method to set the ConsoleWindow flag of the tagWND object, changing the window type.

The system does not check whether the window type has changed after the final callback, and as a result, the erroneous data is accessed due to type confusion. The difference between before and after the flag is modified is that the system believes tagWND.WndExtra saves a user_mode pointer; the system assumes tagWND.WndExtra is the offset of the kernel desktop heap, after the flag is set. The threat actor can influence this offset and subsequently cause out-of-bounds read and write.

Remediation

As part of the January 2022 Patch Tuesday, Microsoft fixed a “Win32k Elevation of Privilege Vulnerability” tracked as CVE-2022-21882, it is advised that all users and administrators download and install Windows 10 January 2022 patch Tuesday updates as soon as possible. This update can be done through the Windows update feature on Windows PC.

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: Windows Vulnerability Allows Privilege Escalation.pdf

References

Abrams, L. (29th January 2022). Windows vulnerability with new public exploits lets you become admin. Retrieved from BleepingComputer:https://www.bleepingcomputer.com/news/microsoft/windows-vulnerability-with-new-public-exploits-lets-you-become-admin/
RyeLV. (13th January 2022). CVE-2022-21882: Win32k Window Object Type Confusion. Retrieved from 0-Days In-the-Wild:
https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-21882.html