Windows Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-26863, CVE-2021-26875, CVE-2021-26900.
gwillcox-r7 at March 11, 2021 6:25pm UTC reported:
Interesting, so this was a bug within
win32kfull.sys!BLTRECORD::bRotate originally disclosed by ZDI as ZDI-CAN-12671, which was a NULL pointer dereference vulnerability within Windows’s win32kfull.sys/win32k.sys kernel driver. However Microsoft originally didn’t want to patch this, most likely because Windows 8 and later has memory protections that prevent one from mapping the first 64kb or so of memory, thereby making it nearly impossible to map the NULL page unless NTVM is enabled for 16 bit support.
However with this being said there have been bypasses of the NULL page protection. One of the most notable was <https://twitter.com/waleedassar/status/1270550282695585792/photo/1> which shows that if Intel SGX is enabled on a target PC, it is possible to use
NtCreateEnclave() to reserve the NULL page in memory. I imagine that other bypasses may exist however given their rarity and Microsoft’s williness to patch them as fast as possible, they are likely traded privately.
Interestingly this vulnerability also affects Windows 7 and Windows Server 2008 and 2008 R2, which only later got these NULL page mitigations backported from Windows 8. Therefore whilst its unlikely that recently updated systems are going to be able to be exploited as a result of this NULL page mitigation backporting, its possible that servers running very outdated versions of these systems may be readily exploitable via this vulnerability.
Assuming the NULL page is mapped though, what will happen is that if the 4 parameter version of
win32kfull.sys!BLTRECORD::bRotate is called with a
flag parameter that has the
HOOK_PLGBLT bit set within it, it will take the surface object that it is trying to draw on and will look at that surface object’s
hdev field to find the handle to the device driver to use. It will then attempt to call the
DrvPlgBlt() function of the device driver without first checking to see if that device driver specified by
hdev provides a
DrvPlgBlt() function. This can lead to an attempt to execute code from the NULL page as SYSTEM.
So overall if you can map the NULL page this is a pretty easy vulnerability to exploit, but with the backporting of the NULL page mitigation and the standardization of preventing the NULL page from being mapped starting with Windows 8, its easy to understand why this was less of a concern for Microsoft to fix.
Assessed Attacker Value: 4
Assessed Attacker Value: 2