module

Win32k ConsoleControl Offset Confusion

Try Surface Command
Back to search
Disclosed
2021-02-09
Created
2022-02-26

Description

A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of
NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being
treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to
achieve an out of bounds write operation, eventually leading to privilege escalation.

This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021.
In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is
is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to
function on a wider range of Windows 10 targets.

Authors

BITTER APT
JinQuan
MaDongZe
TuXiaoYi
LiHao
L4ys
KaLendsi
Spencer McIntyre

Platform

Windows

Architectures

x64

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


    msf > use exploit/windows/local/cve_2022_21882_win32k
    msf exploit(cve_2022_21882_win32k) > show targets
        ...targets...
    msf exploit(cve_2022_21882_win32k) > set TARGET < target-id >
    msf exploit(cve_2022_21882_win32k) > show options
        ...show and set options...
    msf exploit(cve_2022_21882_win32k) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today