Security teams might have skipped January’s Patch Tuesday after reports of it breaking servers, but it also included a patch for a privilege-escalation bug in Windows 10 that leaves unpatched systems open to malicious actors looking for administrative access. It’s a bug that now has a proof-of-concept exploit available in the wild.
The exploit was released by Gil Dabah, founder and CEO of Privacy Piiano, who tweeted that he decided not to report the bug two years ago after finding it difficult to get paid on other bug bounties through the Microsoft program.
Found it two years ago. Not recently. That’s the point. https://t.co/PtRuNDAEYQ
— Gil Dabah (@_arkon) January 26, 2022
The LPE Bug
“A local, authenticated attacker could gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver,” Microsoft explained in it’s advisory, part of January’s Patch Tuesday updates.
The disclosure for CVE-2022-21882 from RyeLv, who is attributed with the find, was published on Jan. 13 and described the win32k object type confusion vulnerability.
“The attacker can call the relevant GUI API at the user_mode to make the kernel call like xxxMenuWindowProc, xxxSBWndProc, xxxSwitchWndProc, xxxTooltipWndProc, etc.,” the disclosure by RyeLV said.
“These kernel functions will trigger a callback xxxClientAllocWindowClassExtraBytes. Attacker can intercept this callback through hook xxxClientAllocWindowClassExtraBytes in KernelCallbackTable,and use the NtUserConsoleControl method to set the ConsoleWindow flag of the tagWND object, which will modify the window type.”
The bug was being exploited by sophisticated groups as a zero-day issue, Microsoft said.
Regarding the just-fixed CVE-2022-21882:
win32k privilege escalation vulnerability,
CVE-2021-1732 patch bypass,easy to exploit,which was used by apt attacks
— b2ahex (@b2ahex) January 12, 2022
Microsoft Needs to Up It’s Bug Bounty Game?
January’s Patch Tuesday was plagued by Windows server update issues that could have understandably made internal security teams pause before downloading the patches. But a PoC is now available for the bug, putting exploitation in reach of cybercriminals of all levels of expertise.
Dabah said that Microsoft’s bug-bounty program was problematic.
The reason I didn’t disclose it, was because I waited to get paid by Msft for long time for other stuff. By the time they paid they reduced awards to nothing almost. I was already busy with my startup and that’s the story how it went unfixed. @ja_wreck https://t.co/PtRuNDAEYQ
— Gil Dabah (@_arkon) January 28, 2022
Investing in the program was the primary recommendation in RyeLv’s technical analysis to Microsoft.
He noted how to “kill the bug class”: “Improve the kernel zero-day bounty, let more security researchers participate in the bounty program, and help the system to be more perfect.”
It should be noted that Microsoft has been willing to throw additional funding at bug-bounty programs for other high-profile products, including last spring’s announcement the company would pay up to $30,000 for Teams bugs.
The computing giant did not immediately return a request for comment.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.