Critical zero-day vulnerability in Windows 10 that allows local privilege escalation to admin: Exploit code published

Cybersecurity specialists recently published an exploit for a local privilege escalation vulnerability whose successful exploitation would allow malicious users to obtain administrator privileges on Windows 10 systems. Tracked as CVE-2022-21882, the flaw was addressed in Microsoft January 2022 security patches.

According to the report, authenticated local threat actors could gain elevated privileges on the target system by exploiting this flaw, which resides in the Wink32k.sys driver. In this regard, the cybersecurity firm RyeLv published a detailed analysis to confirm that the vulnerability affects all versions of Windows 10 that continue to receive support.

For malicious hackers, limited access to a vulnerable device is enough to easily elevate their privileges and eventually move sideways on the affected network, creating new administrative users or executing commands with elevated privileges.

“Attackers can intercept the xxxClientAllocWindowClassExtraBytes callback via the xxxClientAllocWindowClassExtraBytes link in kernelCallbackTable, using the NtUserConsoleControl method to configure the ConsoleWindow flag of the tagWND object, which will modify the window type,” the experts mention.

After the final callback, the system does not check if the window type has changed and incorrect data is referenced due to type confusion. The difference before and after the flag modification is that before setting the flag, the system thinks that tagWND.WndExtra saves a user_mode flag. Once the flag is set, the system thinks that tagWND.WndExtra is the displacement of the kernel desktop heap, and the attacker can control this displacement and then cause an out-of-bounds reading and writing condition.

Soon after, other members of the cybersecurity community, including renowned analyst Will Dormann, confirmed RyeLv’s findings.

As a security measure, administrators of vulnerable versions are advised to apply the latest Windows updates as soon as possible to mitigate the risk of exploitation. At the moment of writing, the existence of functional alternative solutions is unknown.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.