Security teams may have skipped-over Jan.’s Patch Tues. after reports of it breaking servers, but it also included a patch for a privilege-escalation bug in Windows 10 that leaves unpatched systems open to bad players looking for administrator level access.
It is a bug that now has a proof-of-concept exploit available in the wild.
The vulnerability affects all unpatched Windows 10 versions following a ‘messy’ Microsoft Jan. update.
The exploit was released by Gil Dabah, Founder & CEO of Privacy Piiano, who tweeted that he decided not to report the bug 2 years ago after finding it difficult to get paid on other bug bounties through the Microsoft program.
The LPE Bug
“A local, authenticated attacker could gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver,” Microsoft explained in it’s advisory, part of Jan.’s Patch Tues. updates.
The disclosure for CVE-2022-21882 from RyeLv, who is attributed with the find, was published on Jan. 13 & described the win32k object type confusion vulnerability.
“The attacker can call the relevant GUI API at the user mode to make the kernel call like xxxMenuWindowProc, xxxSBWndProc, xxxSwitchWndProc, xxxTooltipWndProc, etc.,” the disclosure by RyeLV explained.
Callback
“These kernel functions will trigger a call-back xxxClientAllocWindowClassExtraBytes. Attacker can intercept this call-back through hook xxxClientAllocWindowClassExtraBytes in KernelCallbackTable & use the NtUserConsoleControl method to set the Console Window flag of the tagWND object, which will modify the window type.”
The bug was being exploited by sophisticated groups as a zero-day issue, Microsoft said.
Microsoft Needs to Improve Bug Bounty Game?
Jan.’s Patch Tues. was troubled by Windows server update issues that could have understandably made internal security teams pause before downloading the patches. A PoC is now available for the bug, putting exploitation in reach of cyber-criminals of all levels of expertise.
Dabah stated that Microsoft’s bug-bounty program was ‘problematic.’
Investing in the program was the primary recommendation in RyeLv’s technical analysis to Microsoft.
Kill the Bug
He noted how to “kill the bug class”: “Improve the kernel zero-day bounty, let more security researchers participate in the bounty program, & help the system to be more perfect.”
Note that Microsoft has been willing to throw extra funding at bug-bounty programs for other high-profile products, including last spring’s announcement the company would pay up to $30k for Teams bugs.
The computing giant did not immediately return a request for comment.