CVE-2021-1732: Microsoft Windows Local Privilege Escalation Vulnerability Alert

On February 9, 2021, Microsoft February Patch Tuesday fixes a local privilege escalation vulnerability (CVE-2021-1732) in Windows systems. Local attackers can use this vulnerability to elevate system privileges. This vulnerability is used by the attacker in the wild.

Vulnerability Detail

This local privilege escalation would allow a logged-on user to execute code of their choosing at higher privileges. Bugs of this nature are typically paired with another bug that allows code execution a the logged-on user level. For example, this could be paired with an Adobe Reader exploit. An attacker would entice a user to open a specially crafted PDF, which would result in code execution through the Reader bug then escalation through this bug. This is also a common tactic for malware.

The vulnerability is caused by the function win32kfull!xxxCreateWindowEx’s lax verification of the data returned by the application layer callback. Local users execute the exploit program to obtain system permissions.

As shown below, after the sample runs, the token of the current process will be modified to the system token to complete the privilege escalation operation.

Affected version

Windows Server, version 20H2 (Server Core  Installation)
Windows 10 Version 20H2 for ARM64-based  Systems
Windows 10 Version 20H2 for 32-bit  Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server, version 2004 (Server Core  installation)
Windows 10 Version 2004 for x64-based  Systems
Windows 10 Version 2004 for ARM64-based  Systems
Windows 10 Version 2004 for 32-bit  Systems
Windows Server, version 1909 (Server Core  installation)
Windows 10 Version 1909 for ARM64-based  Systems
Windows 10 Version 1909 for x64-based  Systems
Windows 10 Version 1909 for 32-bit  Systems
Windows Server 2019 (Server Core  installation)
Windows Server 2019
Windows 10 Version 1809 for ARM64-based  Systems
Windows 10 Version 1809 for x64-based  Systems
Windows 10 Version 1809 for 32-bit  Systems
Windows 10 Version 1803 for ARM64-based  Systems
Windows 10 Version 1803 for x64-based  Systems

Solution

In this regard, we recommend that users upgrade Windows to the latest version in time.