Posted on: Fri, Jan 10 2021
Introduction
During the analysis of Windows kernel vulnerabilities, I’ve recognized more than 5 bugs have existed in a single function EtwpNotifyGuid. The bugs are CVE-2020-1033, CVE-2020-1034, CVE-2021- 1662, CVE-2021-1682 and so on. It is so amazing fact that more than 5 bugs exists in a single Windows kernel function.
This post will deep dive into the details of the vulnerabilities and the fixes released by Microsoft.
CVE-2020-1033: Windows Kernel Information Disclosure Vulnerability
The bug was disclosed by Microsoft Product Security & Vulnerability Research team member (@gabe_k) and patched on September 8th, 2020. It is caused due to invalid check of the input data as following.
The value of rdx register is not validated and used as a offset in the input buffer so that it can be used for out-of-bound read. The bug was fixed by checking the value of the rdx register.
CVE-2020-1034: Windows Kernel Elevation of Privilege Vulnerability
This bug was also discovered by Microsoft Product Security & Vulnerability Research team and patched at the same time as CVE-2020-1033.
The details of this vulnerability were fully published immediately by Yarden Shafir of Crowdstrike and unanme2096.
CVE-2021-1662: Windows Event Tracing Elevation of Privilege Vulnerability
The vulnerability was discovered by madongze (@YanZiShuang) of DBAPPSecurity and patched on January 12th, 2021. The invalid bound check for input buffer causes out-of-bound access in the kernel pool and lead to privilege escalation.
As you can see, the bound check could be passed if input_buffer_length is 0x90 and v10 is 0x40 and thus out-of-bound access is possible in EtwpValidateTraceControlFilterDescriptors function. This can be abused for privilege escalation exploitation.
Microsoft fixes the bug by checking the length of the buffer in EtwpValidateTraceControlFilterDescriptors function as following.
CVE-2021-1682: Windows Kernel Elevation of Privilege Vulnerability
This vulnerability was also found by DBAPPSecurity member Min Li (@lm0963) and patched with CVE-2021-1662. It is a heap buffer overflow vulnerability caused by invalid bound check. EtwpNotifyGuid function copies the input buffer using EtwpAllocDataBlock function and accesses offset 0x50 to it. Of course the buffer size should be larger than 0x48 by previous checks, but it can be smaller than 0x50. Therefore, it will overwrite the next pool header and cause memory corruption.
The fix of the bug would be trivial.
Conclusion
Only one of the above bugs is information disclosure vulnerability and the others are all elevation of privilege vulnerability that can be used for Chrome sandbox escape. And there is still one more vulnerability in the process of same control code of NtTraceControl function.
This fact says that ETW component is very vulnerable part of Windows kernel and more bugs could be discovered in this component.
