Expert releases PoC for CVE-2022-21882 Windows local privilege elevation issue

A researcher disclosed an exploit for a Windows local privilege elevation issue (CVE-2022-21882) that allows anyone to gain admin privileges in Windows 10.

The security researchers RyeLv has publicly released an exploit for a Windows local privilege elevation flaw (CVE-2022-21882) that allows anyone to gain admin privileges in Windows 10.

The Win32k elevation of privilege vulnerability was fixed this month as part of the January 2022 Patch Tuesday, it is the result of a bypass for the previously CVE-2021-1732 flaw.

“A local, authenticated attacker could gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver.” reads the advisory published by Microsoft.

Now RyeLv published a detailed analysis of the vulnerability that affects all supported support versions of Windows 10.

Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network, create new administrative users, or perform privileged commands.

“Attacker can intercept this callback [xxxClientAllocWindowClassExtraBytes] through hook xxxClientAllocWindowClassExtraBytes in KernelCallbackTable,and use the NtUserConsoleControl method to set the ConsoleWindow flag of the tagWND object, which will modify the window type.” reads the analysis published by RyeLv. “After the final callback, the system does not check whether the window type has changed, and the wrong data is referenced due to type confusion. The difference before and after the flag modified is that before setting the flag, the system thinks that tagWND.WndExtra saves a user_mode pointer; after the flag is set, the system thinks that tagWND.WndExtra is the offset of the kernel desktop heap,and attacker can control this offset, then cause out-of-bounds R&W.”

Multiple experts confirmed that the exploits correctly work, including the CERT/CC vulnerability analyst Will Dormann:

Administrators that have yet to install January 2022 security updates are recommended to do it as soon as possible to prevent attacks exploiting this issue.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, REvil ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.