Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
attackerkbAttackerKBAKB:AC6EF4EB-7075-41DD-BE7A-00DEA8B5BA3F
HistoryMar 11, 2021 - 12:00 a.m.

CVE-2021-27077

2021-03-1100:00:00
attackerkb.com
112
cve-2021-27077
elevation of privilege
win32kfull.sys
bltrecord::brotate
null pointer dereference
windows 7
windows server 2008
exploitable vulnerability
memory protections
intel sgx
ntcreateenclave()
null page mitigation
device driver
hook_plgblt
system exploit

EPSS

0.864

Percentile

98.6%

JSON

Windows Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-26863, CVE-2021-26875, CVE-2021-26900.

Recent assessments:

gwillcox-r7 at March 11, 2021 6:25pm UTC reported:

Interesting, so this was a bug within win32kfull.sys!BLTRECORD::bRotate originally disclosed by ZDI as ZDI-CAN-12671, which was a NULL pointer dereference vulnerability within Windows’s win32kfull.sys/win32k.sys kernel driver. However Microsoft originally didn’t want to patch this, most likely because Windows 8 and later has memory protections that prevent one from mapping the first 64kb or so of memory, thereby making it nearly impossible to map the NULL page unless NTVM is enabled for 16 bit support.

However with this being said there have been bypasses of the NULL page protection. One of the most notable was <https://twitter.com/waleedassar/status/1270550282695585792/photo/1&gt; which shows that if Intel SGX is enabled on a target PC, it is possible to use NtCreateEnclave() to reserve the NULL page in memory. I imagine that other bypasses may exist however given their rarity and Microsoft’s williness to patch them as fast as possible, they are likely traded privately.

Interestingly this vulnerability also affects Windows 7 and Windows Server 2008 and 2008 R2, which only later got these NULL page mitigations backported from Windows 8. Therefore whilst its unlikely that recently updated systems are going to be able to be exploited as a result of this NULL page mitigation backporting, its possible that servers running very outdated versions of these systems may be readily exploitable via this vulnerability.

Assuming the NULL page is mapped though, what will happen is that if the 4 parameter version of win32kfull.sys!BLTRECORD::bRotate is called with a flag parameter that has the HOOK_PLGBLT bit set within it, it will take the surface object that it is trying to draw on and will look at that surface object’s hdev field to find the handle to the device driver to use. It will then attempt to call the DrvPlgBlt() function of the device driver without first checking to see if that device driver specified by hdev provides a DrvPlgBlt() function. This can lead to an attempt to execute code from the NULL page as SYSTEM.

So overall if you can map the NULL page this is a pretty easy vulnerability to exploit, but with the backporting of the NULL page mitigation and the standardization of preventing the NULL page from being mapped starting with Windows 8, its easy to understand why this was less of a concern for Microsoft to fix.

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 2

Related

mscve 4
nvd 4
cve 4
cvelist 4
zdi 12
prion 4
checkpoint_advisories 1
nessus 10
mskb 14
threatpost 1
openvas 3
kaspersky 2
rapid7blog 1
mscve
mscve
Windows Win32k Elevation of Privilege Vulnerability
2021-03-09 08:00:00
Windows Win32k Elevation of Privilege Vulnerability
2021-03-09 08:00:00
Windows Win32k Elevation of Privilege Vulnerability
2021-03-09 08:00:00
nvd
nvd
CVE-2021-26875
2021-03-11 16:15:15
CVE-2021-27077
2021-03-11 16:15:18
CVE-2021-26863
2021-03-11 16:15:14
cve
cve
CVE-2021-26900
2021-03-11 16:15:16
CVE-2021-26863
2021-03-11 16:15:14
CVE-2021-27077
2021-03-11 16:15:18
cvelist
cvelist
CVE-2021-27077 Windows Win32k Elevation of Privilege Vulnerability
2021-03-11 15:50:54
CVE-2021-26875 Windows Win32k Elevation of Privilege Vulnerability
2021-03-11 15:39:27
CVE-2021-26900 Windows Win32k Elevation of Privilege Vulnerability
2021-03-11 15:44:10
zdi
zdi
Microsoft Windows win32kfull MulTextOut Untrusted Pointer Dereference Privilege Escalation Vulnerability
2021-04-29 00:00:00
Microsoft Windows win32kfull bStretch NULL Pointer Dereference Privilege Escalation Vulnerability
2021-03-15 00:00:00
Microsoft Windows win32kfull MulStrokeAndFillPath Untrusted Pointer Dereference Privilege Escalation Vulnerability
2021-04-29 00:00:00
prion
prion
Privilege escalation
2021-03-11 16:15:00
Privilege escalation
2021-03-11 16:15:00
Privilege escalation
2021-03-11 16:15:00
checkpoint_advisories
checkpoint_advisories
Microsoft Win32k Elevation of Privilege (CVE-2021-26863)
2021-03-09 00:00:00
nessus
nessus
KB5000802: Windows Security Update (March 2021)
2021-03-09 00:00:00
KB5000808: Windows 10 Version 1909 March 2021 Security Update
2021-03-09 00:00:00
KB5000856: Windows Server 2008 March 2021 Security Update
2021-03-09 00:00:00
mskb
mskb
March 9, 2021—KB5000856 (Security-only update)
2021-03-09 08:00:00
March 9, 2021—KB5000809 (OS Build 17134.2087)
2021-03-09 08:00:00
March 9, 2021—KB5000844 (Monthly Rollup)
2021-03-09 08:00:00
threatpost
threatpost
Microsoft Patch Tuesday Updates Fix 14 Critical Bugs
2021-03-09 22:12:56
openvas
openvas
Microsoft Windows Multiple Vulnerabilities (KB5000807)
2021-03-10 00:00:00
Microsoft Windows Multiple Vulnerabilities (KB5000802)
2021-03-10 00:00:00
Microsoft Windows Multiple Vulnerabilities (KB5000847)
2021-03-10 00:00:00
kaspersky
kaspersky
KLA12112 Multiple vulnerabilities in Microsoft Products (ESU)
2021-03-09 00:00:00
KLA12111 Multiple vulnerabilities in Microsoft Windows
2021-03-09 00:00:00
rapid7blog
rapid7blog
Patch Tuesday - March 2021
2021-03-09 22:13:03

EPSS

0.864

Percentile

98.6%

JSON
Related for AKB:AC6EF4EB-7075-41DD-BE7A-00DEA8B5BA3F
mscve4nvd4cve4cvelist4zdi12prion4checkpoint_advisories1nessus10mskb14threatpost1openvas3kaspersky2rapid7blog1