An exploit for a Windows local privilege elevation vulnerability that allows anyone to gain admin privileges in Windows 10 has been publicly disclosed by a security researcher. Threat actors who had access to a compromised device could elevate their privileges to spread laterally within the network, create new administrative users, or perform privileged commands.
What is an LPE bug?
Local privilege escalation happens when one user acquires the system rights of another user. Network intruders have different techniques for increasing privileges once they have gained access to a system. The initial intrusion could start from anywhere. Say a guest account or a local user who has carelessly written a username and password on a Post It note. Regular users typically operate at a relatively low privilege level –usually to prevent someone who obtains their credentials from gaining control of the system. Once inside, the intruder employs privilege escalation techniques to increase the level of control over the system
A windows zero-day vulnerability exploited since mid-2020
Microsoft previously said that a high-severity Windows zero-day vulnerability patched during the February 2021 Patch Tuesday was exploited in the wild since at least the summer of 2020 according to its telemetry data. The actively exploited zero-day bug was tracked as ‘CVE-2021-1732 – Windows Win32k Elevation of Privilege Vulnerability.’ As part of the January 2022 Patch Tuesday, Microsoft fixed a ‘Win32k Elevation of Privilege’ vulnerability tracked as CVE-2022-21882, which is a bypass for the previously patched and actively exploited CVE-2021-1732 bug.
It was first disclosed by RyeLv, a security researcher, who explained, “The attacker can call the relevant GUI API at the user_mode to make the kernel call like xxxMenuWindowProc, xxxSBWndProc, xxxSwitchWndProc, xxxTooltipWndProc, etc. These kernel functions will trigger a callback xxxClientAllocWindowClassExtraBytes. An attacker can intercept this callback through hook xxxClientAllocWindowClassExtraBytes in KernelCallbackTable, and use the NtUserConsoleControl method to set the ConsoleWindow flag of the tagWND object, which will modify the window type”
The bug was being exploited by sophisticated groups as a zero-day issue, Microsoft said.
Microsoft’s diminishing bug-bounty rewards
This same vulnerability was apparently discovered about two years ago by an Israeli security researcher who is also the CEO of Piiano, Gil Dabah, who tweeted that he decided not to report the bug two years ago as Microsoft’s bug-bounty rewards were reduced.
Also, RyeLv stated in his technical write up for the CVE-2022-21882 vulnerability, “Improve the kernel 0day bounty, let more security researchers participate in the bounty program, and help the system to be more perfect,”
General precautions
Microsoft improving its bug bounty rewards could potentially lead to more bug reports by motivated researchers.
Many users chose to skip January 2022 updates due to the significant number of critical bugs introduced by the January 2022 updates, including reboots, L2TP VPN problems, inaccessible ReFS volumes, and Hyper-V issues during the installation of these updates. Keeping auto-updates off and researching the latest updates before installing it might be the best course of action until Microsoft updates are deemed reliable.
Sources: https://www.bleepingcomputer.com/news/security/recently-fixed-windows-zero-day-actively-exploited-since-mid-2020/
https://threatpost.com/public-exploit-windows-10-bug/178135/
https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2022/CVE-2022-21882.html
It was an interesting read. As I would agree with most of it, I believe Microsoft should develop more awareness about the potential security threats that their systems are prone to with meticulous testing and identification during early stages of updates, as opposed to depending on users to point out the bugs. Although with improving technologies, the number of ways to penetrate a software to control it with the highest level of access increases exponentially, I reckon the competitive mindset of the major players in the domain such as Apple, Google, Msft, etc is the primary factor that leads to carelessness with delivery by placing emphasis on speed over quality. But in a way, awarding people for finding problems does give encourage them to report them instead of exploiting them, and saves trouble. Your references were pretty good as well. Great job!
Thank you for this informative post! I have noticed a trend in recent weeks with regards to an increasing number of vulnerabilities that Big Tech companies are experiencing. Last month for example, a massive Tesla vulnerability was uncovered by a German teen hacker. He demonstrated that vulnerable third party apps installed in some Tesla cars for the purpose of analyzing data, if hacked into, allowed him to gain control of certain features including steering, braking and acceleration. This, if exploited for malicious purposes, could have resulted in disastrous consequences. Although not the same thing, this post sheds light on another Big Tech company having potentially disastrous vulnerabilities. I think that offering up these so called “bug bounties” is an excellent way to invite cybersecurity experts across the globe, to be involved in enhancing systems and protecting these companies from further damage. Sometimes the best solutions are found outside of a company, and I really do believe that such bounties will foster a greater level of trust for these Big Tech companies. Furthermore, getting external experts involved will allow for these companies to develop objective counter-measures.
This was a really interesting post. From reading some other posts it seems that bug bounties have become standard practice in preventing security problems. It is interesting that such a large company like Microsoft would decrease their bounty rewards. Microsoft definitely has enough money to pay more money but it seems that they are either extremely cocky or do not care about their software after release. Hopefully, they learn from this event and re increase the bug bounty amount and try to minimize the amount of vulnerabilities in their updates before they release them.
Good Post! I did not know that “bug bounties” were a thing. I think that it is a great idea and that the concept of employing outside cybersecurity professionals to locate bugs within your system is a good one (as other commenters have mentinoned). I know people who work in (quite highly) paid QA positions for software companies, their entire job is to comb over software looking for bugs or problems and reporting them to be fixed. I find the idea that a company could outsource part of this bug-finding process rather interesting, while the number of bugs found would be less than the number found by hiring a team of QA analysts, using an outside expert to find bugs could help find outlier bugs that a QA would miss (with this Windows vulnerability being a prime example).
Great post!
Before reading your blog, I always thought the bugs in the Windows system were found(detected) by the researchers hired by Microsoft. I didn’t know Microsoft hold the bug-bounty rewards to encourage the researchers who don’t work for them to help them find(detect) the bugs in the Windows system.
As a CPSC student who is not familiar with operating systems on PC, once Microsoft posts new updates, I always choose to update the Windows system on my laptop. This is because even though I read the descriptions for the new updates, I still cannot understand what the new updates are and how they work in the Windows system. Thus, I don’t agree that “Keeping auto-updates off and researching the latest updates before installing it …”. For the people who are not familiar with the principles of operating systems, we should recommend them to keep “auto-updates” on. This is because updating the operating system on your PC on time is always a good way to protect your privacy and keep your personal data safe.