0-day vulnerability remained unpatched for 2 years due to Microsoft bug bounty issues

As part of January Patch Tuesday, Microsoft fixed a dangerous 0-day privilege escalation vulnerability for which a PoC exploit is available online.

The vulnerability is already being exploited in attacks by highly skilled hacker groups.

The exploit was published by Privacy Piiano founder and CEO Gil Dabah, who discovered the vulnerability two years ago.

Daba said he chose not to report his discovery to Microsoft because it was very difficult to get money through its vulnerability bounty program.

Found it two years ago. Not recently. That’s the point. The reason I didn’t reveal it is because I waited a very long time for Microsoft to pay me for another find. By the time they finally paid, the fee had dwindled to almost nothing. I was already busy with my startup, and the vulnerability remained unpatched.the researcher said

The vulnerability, identified as CVE-2022-21882, could allow aт attacker to elevate his privileges on the local system.

A local, authenticated attacker could gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver.Microsoft explained in it’s advisory, part of January’s Patch Tuesday updates.

Microsoft mentioned RyeLv as the researcher who discovered the vulnerability. The researcher submitted his description of the input type mismatch vulnerability in Win32k.sys on January 13, 2022.

An attacker could tell the corresponding GUI API in user mode to make a kernel call like xxxMenuWindowProc, xxxSBWndProc, xxxSwitchWndProc, xxxTooltipWndProc, etc. These kernel functions will cause xxxClientAllocWindowClassExtraBytes to be returned. An attacker can intercept this return by capturing xxxClientAllocWindowClassExtraBytes in the KernelCallbackTable and using the NtUserConsoleControl method to set the ConsoleWindow flag on the tagWND object, which will modify the window type.RyeLv explained.

Investment in the program was also the top recommendation of RyeLv’s technical analysis for Microsoft. He told how to “kill the bug class”:

Improve the kernel zero-day bounty, let more security researchers participate in the bounty program, and help the system to be more perfect.

Let me remind you that we also wrote that Zerodium offers up to $400,000 for exploits for Microsoft Outlook, and also that Google recruits a team of experts to find bugs in Android applications.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *