Type confusion in Windows COM+ Event System Service [CVE-2022-41033]
Another type confusion spawned from the usage of unions. This bug occurred in the COM+ (Component Object Model) event system services’ InMemoryRegRow::PutPropertyBag()
method when handling PROPVARIANT objects (a generic container object that can hold integers or COM pointers). This function will take two PROPVARIANT objects as input which are expected to have a vector of strings and a vector of PROPVARIANTS, but it never actually validates and checks the variant type. They assume the type is going to be the CAPROPVARIANT
they expect. As an attacker, you can supply a VT_BLOB
variant type instead (which points to data you control), which you can use to fake a VT_UNKNOWN
object and eventually get a crafted vtable followed for code execution.