October 2022 Windows Updates brought a fix for CVE-2022-41033, a local privilege escalation vulnerability in Windows COM+ Event System Service. The vulnerability was reported to Microsoft by an anonymous source, but subsequently James Forshaw of Google Project Zero published their analysis, which included proof of concept code.
This "type confusion" vulnerability allows a local low-privileged attacker to provide a memory address of their choosing to vulnerable code. The POC demonstrates reading from such address (and crashes the Event System Service process as a result) but this issue was reported as exploited in the wild, so attackers must have successfully turned it into a privilege escalation.
While still-supported Windows systems have already received the official vendor fix for this vulnerability (assuming admins have applied the October 2022 or later Windows Update), there are Windows systems out there that aren't receiving security fixes from Microsoft anymore. In order to protect these systems, we have created our own micropatches for this vulnerability, which are available through the 0patch service.
Our patches are logically equivalent to Microsoft's patches for this issue.
MODULE_PATH "..\AffectedModules\es.dll_10.0.19041.572_Win10_2004_64bit_u202212\es.dll"
PATCH_ID 1310
PATCH_FORMAT_VER 2
VULN_ID 7646
PLATFORM win64
patchlet_start
PATCHLET_ID 1
PATCHLET_TYPE 2
PATCHLET_OFFSET 0xe669
JUMPOVERBYTES 0
N_ORIGINALBYTES 5
PIT es.dll!0x24eaa
code_start
cmp word[r8], 0x101f ;check if Names.vt == (VT_VECTOR | VT_LPWSTR)
jne ERROR ;if not, report error
cmp word[r9], 0x100c ;check if Values.vt == (VT_VECTOR | VT_VARIANT)
jne ERROR ;if not, report error
mov eax, dword[r9+0x8] ;move Names->calpwstr.cElems to eax for cmp
cmp dword[r8+0x8], eax ;compare Names->calpwstr.cElems == Values->capropvar.cElems
jne ERROR ;if not equal, report error
jmp SUCCESS ;if all checks pass, continue with normal execution
ERROR:
jmp PIT_0x24eaa ;in case of error jump to the block that returns 0x80070057
SUCCESS:
code_end
patchlet_end
Let's see our micropatch in action. With 0patch disabled, the POC immediately crashes the Event System Service. With 0patch enabled, the attack doesn't work anymore because the invalid type is detected and blocked by our patch.
Micropatch Availability
The micropatch was written for the following security-adopted versions of Windows with all available Windows Updates installed:
- Windows 10 v2004
- Windows 10 v1909
- Windows 10 v1809
- Windows 10 v1803
Vulnerabilities like this one get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.
If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email [email protected] for a trial. Everything else will happen automatically. No computer reboot will be needed.
To learn more about 0patch, please visit our Help Center.We'd like to thank James Forshaw of Google Project Zero for sharing their POC with us, which allowed us to create a micropatch and protect our users against this attack. We also encourage all security researchers to privately share their analyses with us for micropatching.
Article Link: 0patch Blog: Micropatches for Windows COM+ Event System Service Elevation of Privilege Vulnerability (CVE-2022-41033)