Attacker Value
Moderate
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
Required
Privileges Required
Low
Attack Vector
Local
3

CVE-2022-21970

Disclosure Date: January 11, 2022
CVE-2022-21970 CVSS v3 Base Score: 6.1
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Privilege Escalation
Techniques
Validation
Validated
Validated
Validated

Description

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

Add Assessment

1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Medium
Difficult to patchGives privileged accessVulnerable in default configurationDifficult to weaponize
Technical Analysis

CVE-2022-21970

Description

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability.
This vulnerability allows an attacker to execute javascript code on every host without permission, also an attacker can steal local system files, and also he can manipulate the actions against the machine and result in changing internal developer settings in Microsoft Edge.

  • NOTE: In this example, Microsoft Edge executes a malicious script without problems.
    This is just a malicious .bat file that reboots the infected machine, and it’s only for testing!
    The attacker can create a malicious file that can take a privileges escalation, malware, spyware, or kernel exploit file and harm seriously your device!
    Not correctly sanitizing and checking for that what users download on their machines by using a MsEdge!

NOTE after the exploit: A malicious user, or whatever user can execute directly malicious .bat files which are created – generated from this javascript exploit by using MsEdge. 😁
According to Edge, this file is safe to run and open. 😁

FAQ

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version

97.0.1072.55 | 1/6/2022 | 97.0.4692.71

STATUS:

  • Patched and fixed on!

The next test is checking if this is fully patched! 🤫 😛 😎

Proof and simple browser test MsEdge: Edge is blocking .sys files because they can harm your device:

This proof of concept is shown as to how the MsEdge browser NOT blocking .bat files, and this is a problem.

  • NOTE: A malicious user, or whatever user can execute directly malicious .bat files which are created – generated by using exactly MsEdge and this javascript exploit.

  • This is ridiculous and incorrect sanitizing!😁

  • According to Edge, this file is safe to run and open. 😁

  • Screenshot, example:

In Action:

  1. download the PoC

  2. extracted somewhere

  3. Execute

start msedge C:\Users\user2022\Desktop\ExploitServer\examples\exploit.html

Example from the function():

    $start.onclick = () => {
        const blob = new Blob(['shutdown /r'])
        const fileStream = streamSaver.createWriteStream('pwned.bat', {
          size: blob.size // Makes the percentage visiable in the download
        })

Reproduce:

href

Proof and Exploit:

href

  • BR nu11secur1ty
Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
6.1 Medium
Impact Score:
4.7
Exploitability Score:
1.3
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
Low
Availability (A):
Low

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Microsoft Edge (Chromium-based) 97.0.1072.55
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • microsoft

Products

  • edge chromium

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis