CVE编号
CVE-2022-21882利用情况
POC 已公开补丁情况
官方补丁披露时间
2022-01-11漏洞描述
攻击者在用户模式调用相关的GUI API来进行kernel调用,如xxxMenuWindowProc、xxxSBWndProc、xxxSwitchWndProc和xxxTooltipWndProc。这些kernel函数调用会触发xxxClientAllocWindowClassExtraBytes回调。攻击者可以通过hook KernelCallbackTable 中的xxxClientAllocWindowClassExtraBytes来拦截回调,使用NtUserConsoleControl 方法来设置tagWND 对象的ConsoleWindow flag,这一步操作可以修改窗口类型。 回调后,系统不会检查窗口的类型是否修改,由于类型混淆会导致错误的数据被应用。Flag修改前系统会将tagWND.WndExtra保存为一个用户模式指针,flag设置后,系统会将tagWND.WndExtra 看作为kernel desktop heap的偏移量,攻击者控制了该偏移量后,就可以引发越界读和写。该漏洞利用可以实现权限提升。受影响系统: Windows 10 Version 21H1 for 32-bit Systems Windows Server 2022 (Server Core installation) Windows 10 Version 1909 for ARM64-based Systems Windows 10 Version 20H2 for x64-based Systems Windows 10 Version 1809 for 32-bit Systems Windows 10 Version 1809 for x64-based Systems Windows 10 Version 1809 for ARM64-based Systems Windows Server 2019 (Server Core installation) Windows 10 Version 1909 for 32-bit Systems Windows 10 Version 1909 for x64-based Systems Windows 10 Version 21H1 for x64-based Systems Windows 10 Version 21H1 for ARM64-based Systems Windows 10 Version 20H2 for 32-bit Systems Windows 10 Version 20H2 for ARM64-based Systems Windows Server version 20H2 (Server Core Installation) Windows 11 for x64-based Systems Windows 11 for ARM64-based Systems Windows 10 Version 21H2 for 32-bit Systems Windows 10 Version 21H2 for ARM64-based Systems Windows 10 Version 21H2 for x64-based Systems
解决建议
目前厂商已发布升级补丁以修复漏洞,补丁获取链接:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21882
参考链接 |
|
|---|---|
| http://packetstormsecurity.com/files/166169/Win32k-ConsoleControl-Offset-Conf... | |
| https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882 | |
| https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21882 |
- 攻击路径 远程
- 攻击复杂度 复杂
- 权限要求 无需权限
- 影响范围 越权影响
- EXP成熟度 POC 已公开
- 补丁情况 官方补丁
- 数据保密性 数据泄露
- 数据完整性 无影响
- 服务器危害 无影响
- 全网数量 N/A
还没有评论,来说两句吧...