Win32k Window Object Type Confusion [CVE-2022-21882]
Original Post:
We discussed this vulnerability during Episode 116 on 01 February 2022
Once again, the use of user-mode callbacks in the Windows kernel enabled an attacker to change out the type of an object unexpectedly leading to a type confusion.
The post indicates that several families of kernel calls (xxxMenuWindowProc
, xxxSBWndProc
, xxxSwitchWndProc
, xxxTooltipWndProc
) could be used to trigger the xxxClientAllocWindowClassExtraBytes
callbacks. The callback could then use NtUserConsoleControl
method to set theConsoleWindow
flag of the tagWND
object. Once the callback returned, the tagWND
object will be accessed, but it will be unaware of the type change that occurred, leading to a type confusion where a user_mode pointer is treated as the offset to the desktop heap, which can be used for more out-of-bound accesses.