Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-21971 PoC — Microsoft Windows Runtime 缓冲区错误漏洞

Source
https://github.com/tufanturhan/CVE-2022-21971-Windows-Runtime-RCE
Associated Vulnerability
Title:Microsoft Windows Runtime 缓冲区错误漏洞 (CVE-2022-21971)
Description:Microsoft Windows Runtime(.net framework)是美国微软(Microsoft)公司的一款Windows操作系统中必要的功能支持库。 Microsoft Windows Runtime 存在缓冲区错误漏洞。以下产品和版本受到影响:Windows 10 Version 21H2 for x64-based Systems,Windows 10 Version 21H2 for ARM64-based Systems,Windows 10 Version 21H2 for 3
Readme
# CVE-2022-21971: Uninitialized pointer free in prauthproviders

<p align='center'>
<img src='pics/cve-2022-21971.gif'>
</p>

## Root-cause

The `WapAuthProvider::CreateInstance` constructor allocates and initializes a `WapAuthProvider` object (0x78 bytes) but it fails to initialize completely its state.

The pointer at offset 0x50 is uninitialized and free'd when the destructor is invoked (in `WapAuthProvider::~WapAuthProvider`):

```
prauthproviders!WapAuthProvider::~WapAuthProvider+0x38:
00007ffd`a91f3078 488b4b50        mov     rcx,qword ptr [rbx+50h] ds:000001cf`efe35fd0=c0c0c0c0c0c0c0c0

0:011> 
prauthproviders!WapAuthProvider::~WapAuthProvider+0x3c:
00007ffd`a91f307c 4883634000      and     qword ptr [rbx+40h],0 ds:000001cf`efe35fc0=0000000000000000

0:011> 
prauthproviders!WapAuthProvider::~WapAuthProvider+0x41:
00007ffd`a91f3081 48ff1578ad0000  call    qword ptr [prauthproviders!_imp_LocalFree (00007ffd`a91fde00)] ds:00007ffd`a91fde00={KERNELBASE!LocalFree (00007ffd`ccdb0620)
```

This is the function using the uninitialized data, see `[0]` and `[1]`:

```c++
void WapAuthProvider::~WapAuthProvider(__int64 this) {
  void *v2; // rcx
  void *v3; // rcx

  *(_QWORD *)this = &WapAuthProvider::`vftable';
  LocalFree(*(HLOCAL *)(this + 56));
  v2 = *(void **)(this + 64);
  *(_QWORD *)(this + 56) = 0i64;
  LocalFree(v2);
  v3 = *(void **)(this + 80);       // <-- [0] uninitialized
  *(_QWORD *)(this + 64) = 0i64;
  LocalFree(v3);                    // <-- [1] free
  *(_QWORD *)(this + 80) = 0i64;
}
```

## Repro

1. Turn on PageHeap via Gflags on `winword.exe`
1. Start Word, attach a debugger to it
1. Open `cve-2022-21971.rtf` in Word

```
(1c84.11b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
verifier!AVrfpDphFindBusyMemoryNoCheck+0x8a:
00007ffd`78d84742 817ac0bbbbcdab  cmp     dword ptr [rdx-40h],0ABCDBBBBh ds:c0c0c0c0`c0c0c080=????????

0:011> kc
 # Call Site
00 verifier!AVrfpDphFindBusyMemoryNoCheck
01 verifier!AVrfpDphFindBusyMemory
02 verifier!AVrfpDphFindBusyMemoryAndRemoveFromBusyList
03 verifier!AVrfDebugPageHeapFree
04 ntdll!RtlDebugFreeHeap
05 ntdll!RtlpFreeHeap
06 ntdll!RtlpFreeHeapInternal
07 ntdll!RtlFreeHeap
08 KERNELBASE!LocalFree
09 prauthproviders!WapAuthProvider::~WapAuthProvider
0a prauthproviders!WapAuthProvider::`vector deleting destructor'
0b prauthproviders!WapAuthProvider::Release
0c prauthproviders!CClassFactory::CreateInstance
0d combase!CServerContextActivator::CreateInstance
0e combase!ActivationPropertiesIn::DelegateCreateInstance
0f combase!CApartmentActivator::CreateInstance
```

I've reproduced this on a Windows 10 x64 VM and on Windows 11 x64 with both Wordpad (but requires one click) and Office Word 2019.
File Snapshot

 [4.0K]  /data/pocs/62d6026361124035d04c32d8507a701b01733bdc
├── [ 175]  cve-2022-21971.rtf
├── [1.0K]  LICENSE
├── [4.0K]  pics
│   └── [259K]  cve-2022-21971.gif
└── [2.7K]  README.md

1 directory, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.