BLOG

|

Good Evening

Windows Privilege Escalation - CVE-2021-1732

About Vulnerability


The type confusion vulnerability is found on windows module called Win32kfull.sys. Win32kfull.sys is the core driver used by the Windows kernel to implement the graphical system. It is used to boost the successful communications between your Windows system and hardware

  • Affected windows versions: Win10 1803 - 20H2, WinServer 2019, 2004


Call Stack


Vulnerability Reason


This is a type confusion vulnerability, due to incorrect settings tagBody+0xE8 At the sign bit, and lead tagBody+0x128 The value at is abnormally used.


What is

  • tagWND: is Windows kernel used to describe the kernel data structure of a window created by a user, which stores all information about the window.

  • tagBody: a pseudo name. For example, Window, Bitmap, Palette, and other object headers and object bodies create space from different locations. For more information about the implementation logic, see HMAllocObject function.


Effect


It successfully spawned me a shell with privileged access (as nt authority) 😎.