Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Expert releases PoC for CVE-2022-21882 Windows local privilege elevation issue

A researcher disclosed an exploit for a Windows local privilege elevation issue (CVE-2022-21882) that allows anyone to gain admin privileges in Windows 10. The security researchers RyeLv has publicly released an exploit for a Windows local privilege elevation flaw (CVE-2022-21882) that allows anyone to gain admin privileges in Windows 10. The Win32k elevation of privilege […]

Microsoft Zero-Day

A researcher disclosed an exploit for a Windows local privilege elevation issue (CVE-2022-21882) that allows anyone to gain admin privileges in Windows 10.

The security researchers RyeLv has publicly released an exploit for a Windows local privilege elevation flaw (CVE-2022-21882) that allows anyone to gain admin privileges in Windows 10.

The Win32k elevation of privilege vulnerability was fixed this month as part of the January 2022 Patch Tuesday, it is the result of a bypass for the previously CVE-2021-1732 flaw.

“A local, authenticated attacker could gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver.” reads the advisory published by Microsoft.

Now RyeLv published a detailed analysis of the vulnerability that affects all supported support versions of Windows 10.

Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network, create new administrative users, or perform privileged commands.

“Attacker can intercept this callback [xxxClientAllocWindowClassExtraBytes] through hook xxxClientAllocWindowClassExtraBytes in KernelCallbackTable,and use the NtUserConsoleControl method to set the ConsoleWindow flag of the tagWND object, which will modify the window type.” reads the analysis published by RyeLv. “After the final callback, the system does not check whether the window type has changed, and the wrong data is referenced due to type confusion. The difference before and after the flag modified is that before setting the flag, the system thinks that tagWND.WndExtra saves a user_mode pointer; after the flag is set, the system thinks that tagWND.WndExtra is the offset of the kernel desktop heap,and attacker can control this offset, then cause out-of-bounds R&W.”

Multiple experts confirmed that the exploits correctly work, including the CERT/CC vulnerability analyst Will Dormann:

Administrators that have yet to install January 2022 security updates are recommended to do it as soon as possible to prevent attacks exploiting this issue.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, REvil ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]