Shulou(Shulou.com)05/31 Report--

This article shows you the win32k kernel rights vulnerability CVE-2021-1732 example analysis, the content is concise and easy to understand, absolutely can make your eyes bright, through the detailed introduction of this article, I hope you can get something.

CVE-2021-1732 is a 0Day vulnerability used by BITTER APT in an attack that was disclosed in February this year.

This vulnerability takes advantage of a user-mode callback opportunity in the win32k kernel module of the Windows operating system, destroys the normal execution flow of the function, causes the property setting of the window object extension data to be wrong, and finally leads to the memory out of bounds of the kernel space. This vulnerability will be triggered when a user of the affected version of the Windows operating system executes an attacker-constructed exploit sample, resulting in local privilege escalation [4].

1. Analysis of loophole principle

The root cause of the CVE-2021-1732 vulnerability is:

In the process of Windows window creation (CreateWindowEx), when the window object tagWND has extended data (tagWND.cbwndExtra! = 0), the function in the user state ntdlll extended data PEB.kernelCallbackTable (offset+0x58) will be called through the ntexpanKeUserModeCallback callback mechanism: user3 (sensitive word) 2roomxxClientAllocWindowClassExtraBytes, so that the memory of the data is extended through the system heap allocator (RtlAllocateHeap) in the user mode. By hook user3 (sensitive word) 2 in user mode and modifying the attribute of extended data of window object manually in hook function, the atomic operation of requesting memory for extended data of window object in kernel state can be destroyed, and finally the ability to extend data memory based on window object can be realized.

The normal flow of the Windows window creation (CreateWindowEx) process is shown in the following figure (part):

As you can see from the figure above: when the extended data size tagWND.cbWndExtra of the window is not 0, win32kfullextenxxCreateWindowEx calls the user-mode user3 (sensitive word) 2roomxxxClientAllocWindowClassExtraBytes function through the kernel callback mechanism, applies for the memory needed for the extended data of the window object in user space, and finally returns the pointer to the window object's tagWND.pExtraBytes attribute:

There are two ways to save the extended data of the kernel window object tagWND:

Saved in the user-mode system heap: that is, the normal flow shown in the figure above, the extended data memory pointer applied for by the user-mode system heap is stored directly in pExtraBytes.

A tagWND memory layout based on user-mode system heap mode is shown in the following figure:

2) Save in kernel desktop heap: the function NtUserConsoleControl call allocates memory through the DesktopAlloc kernel desktop heap, calculates the offset of the allocated extended data memory address to the starting address of the desktop heap, saves it in tagWND.pExtraBytes, and modifies tagWND.extraFlag | = 0x800:

A tagWND memory layout based on kernel desktop heap offset mode is shown in the following figure:

Therefore, you can call back user3 (sensitive word) 2 roomxxxClientAllocWindowClassExtraBytes through hook, and manually call NtUserConsoleControl to modify the extended data storage method of tagWND during the callback. Then manually call ntdllchecked NtCallbackReturn before the callback returns:

The user-mode controllable offset value is returned to tagWND.pExtraBytes by ntdllcontrollable NtCallbackReturn, and the controllable offset out-of-bounds reading and writing ability based on the starting address of kernel desktop heap is finally realized.

The process by which the vulnerability can be triggered after modification is as follows:

According to the modified flowchart above, the key steps for vulnerability trigger are as follows:

1) modify the pointer of the user3 (sensitive word) 2 roomxxxClientAllocWindowClassExtraBytes function in PEB.kernelCallbackTable to the custom hook function.

2) create some ordinary window objects and leak the memory addresses of these tagWND kernel objects mapped in user mode through user3 (sensitive words) 2cm ValidateHandle.

3) release some of the ordinary window objects created in 2), and create the window object hwndMagic of the specified tagWND.cbwndExtra size again. At this point, the window object has a certain chance of using the previously released window object memory. So search for the previously leaked user-state mapping memory address of the window object in the custom hook function, and by comparing the tagWND.cbwndExtra, you can find the hwndMagic before the CreateWindowEx returns.

4) call NtUserConsoleControl in the hook function to modify the extraFlag of hwndMagic | = 0x800.

5) call NtCallbackReturn in the hook function to assign the fake offset to the pExtraBytes of hwndMagic.

6) call SetWindowLong to write data to the start address of the kernel desktop heap + specify offset out of bounds.

One implementation of the hook function is as follows:

BSOD on-site stack:

two。 Vulnerability exploitation analysis

It is known from the vulnerability principle analysis part:

Through this vulnerability, you can get "an opportunity to modify the data based on the kernel desktop heap start address + the specified offset address". For kernel vulnerabilities, the target is to obtain system permissions. A common method is:

Exploit the vulnerability to obtain read and write access to any address in kernel state.

Leak the kernel object address and find the system process through the EPROCESS chain

Copy the system process token to this process to complete the authorization work

The difficulty here is 1): that is, how to use "an opportunity to modify the starting address of desktop heap based on kernel state + specify offset address data" to read and write any address in kernel state. One idea of utilization is shown in the figure:

First of all, by exploiting the vulnerability, the offset of tagWNDMagic's additional data (wndMagic_extra_bytes) can be controlled, and the specified address data modification from desktop heap base address + controllable offset can be realized through SetWindowLong.

Take advantage of the vulnerability ability to modify pExtraBytes to the offset of the tagWND0 object (the offset of tagWND0 is obtained by tagWND0+0x8), and call SetWindowLong to modify tagWND0.cbWndExtra = 0x0fffffff to obtain a tagWND0.pExtraBytes that can be read and written out of bounds.

Calculate the offset from pExtraBytes to tagWND1, use the cross-boundary reading and writing tagWND0.pExtraBytes obtained in 2), and call SetWindowLongPtr to modify the spMenu of tagWND1 to point to the forged spMenu, thus realizing the ability to read any address with the help of forged spMenu and GetMenuBarInfo.

The logic for GetMenuBarInfo to read the specified address data is as follows, and the 16-byte data read is saved in the MENUBARINFO.rcBar structure:

Use the tagWND0.pExtraBytes that can read and write beyond the boundary obtained in 3), modify the tagWND1.pExtraBytes to the specified address, and obtain the ability to write any address with the help of the SetWindowLongPtr of tagWND1.

After obtaining the read and write permission of any address, you need to leak a kernel object address on the desktop heap to locate the EPROCESS. Here, step 3) when you set a fake spMenu for tagWND1, the returned value of SetWindowLongPtr is the kernel address of the original spMenu, which can be used directly. Finally, by traversing the EPROCESS chain to find the system process, and copy the system process token to this process to complete the rights, this kind of method is more common and will not be described in detail.

The final and complete demonstration of the lifting of rights:

The above content is an example analysis of win32k kernel privilege vulnerability CVE-2021-1732. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.