Attacker Value
High
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
1

CVE-2021-27077

Disclosure Date: March 11, 2021
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Windows Win32k Elevation of Privilege Vulnerability

Add Assessment

3
Ratings
Technical Analysis

Interesting, so this was a bug within win32kfull.sys!BLTRECORD::bRotate originally disclosed by ZDI as ZDI-CAN-12671, which was a NULL pointer dereference vulnerability within Windows’s win32kfull.sys/win32k.sys kernel driver. However Microsoft originally didn’t want to patch this, most likely because Windows 8 and later has memory protections that prevent one from mapping the first 64kb or so of memory, thereby making it nearly impossible to map the NULL page unless NTVM is enabled for 16 bit support.

However with this being said there have been bypasses of the NULL page protection. One of the most notable was https://twitter.com/waleedassar/status/1270550282695585792/photo/1 which shows that if Intel SGX is enabled on a target PC, it is possible to use NtCreateEnclave() to reserve the NULL page in memory. I imagine that other bypasses may exist however given their rarity and Microsoft’s williness to patch them as fast as possible, they are likely traded privately.

Interestingly this vulnerability also affects Windows 7 and Windows Server 2008 and 2008 R2, which only later got these NULL page mitigations backported from Windows 8. Therefore whilst its unlikely that recently updated systems are going to be able to be exploited as a result of this NULL page mitigation backporting, its possible that servers running very outdated versions of these systems may be readily exploitable via this vulnerability.

Assuming the NULL page is mapped though, what will happen is that if the 4 parameter version of win32kfull.sys!BLTRECORD::bRotate is called with a flag parameter that has the HOOK_PLGBLT bit set within it, it will take the surface object that it is trying to draw on and will look at that surface object’s hdev field to find the handle to the device driver to use. It will then attempt to call the DrvPlgBlt() function of the device driver without first checking to see if that device driver specified by hdev provides a DrvPlgBlt() function. This can lead to an attempt to execute code from the NULL page as SYSTEM.

So overall if you can map the NULL page this is a pretty easy vulnerability to exploit, but with the backporting of the NULL page mitigation and the standardization of preventing the NULL page from being mapped starting with Windows 8, its easy to understand why this was less of a concern for Microsoft to fix.

CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • microsoft

Products

  • windows 10 -,
  • windows 10 1607,
  • windows 10 1803,
  • windows 10 1809,
  • windows 10 1909,
  • windows 10 2004,
  • windows 10 20h2,
  • windows 7 -,
  • windows 8.1 -,
  • windows rt 8.1 -,
  • windows server 2008 r2,
  • windows server 2012 -,
  • windows server 2012 r2,
  • windows server 2016 -,
  • windows server 2016 1909,
  • windows server 2016 2004,
  • windows server 2016 20h2,
  • windows server 2019 -
Technical Analysis