High
CVE-2021-27077
CVE-2021-27077
Add Assessment
Technical Analysis
Interesting, so this was a bug within win32kfull.sys!BLTRECORD::bRotate originally disclosed by ZDI as ZDI-CAN-12671, which was a NULL pointer dereference vulnerability within Windows’s win32kfull.sys/win32k.sys kernel driver. However Microsoft originally didn’t want to patch this, most likely because Windows 8 and later has memory protections that prevent one from mapping the first 64kb or so of memory, thereby making it nearly impossible to map the NULL page unless NTVM is enabled for 16 bit support.
However with this being said there have been bypasses of the NULL page protection. One of the most notable was https://twitter.com/waleedassar/status/1270550282695585792/photo/1 which shows that if Intel SGX is enabled on a target PC, it is possible to use NtCreateEnclave() to reserve the NULL page in memory. I imagine that other bypasses may exist however given their rarity and Microsoft’s williness to patch them as fast as possible, they are likely traded privately.
Interestingly this vulnerability also affects Windows 7 and Windows Server 2008 and 2008 R2, which only later got these NULL page mitigations backported from Windows 8. Therefore whilst its unlikely that recently updated systems are going to be able to be exploited as a result of this NULL page mitigation backporting, its possible that servers running very outdated versions of these systems may be readily exploitable via this vulnerability.
Assuming the NULL page is mapped though, what will happen is that if the 4 parameter version of win32kfull.sys!BLTRECORD::bRotate is called with a flag parameter that has the HOOK_PLGBLT bit set within it, it will take the surface object that it is trying to draw on and will look at that surface object’s hdev field to find the handle to the device driver to use. It will then attempt to call the DrvPlgBlt() function of the device driver without first checking to see if that device driver specified by hdev provides a DrvPlgBlt() function. This can lead to an attempt to execute code from the NULL page as SYSTEM.
So overall if you can map the NULL page this is a pretty easy vulnerability to exploit, but with the backporting of the NULL page mitigation and the standardization of preventing the NULL page from being mapped starting with Windows 8, its easy to understand why this was less of a concern for Microsoft to fix.
CVSS V3 Severity and Metrics
General Information
Vendors
- microsoft
Products
- windows 10 -,
- windows 10 1607,
- windows 10 1803,
- windows 10 1809,
- windows 10 1909,
- windows 10 2004,
- windows 10 20h2,
- windows 7 -,
- windows 8.1 -,
- windows rt 8.1 -,
- windows server 2008 r2,
- windows server 2012 -,
- windows server 2012 r2,
- windows server 2016 -,
- windows server 2016 1909,
- windows server 2016 2004,
- windows server 2016 20h2,
- windows server 2019 -
References
Miscellaneous
