CVE-2022-21852 Windows DWM Core Library Elevation of Privilege Vulnerability

CVE-2022-21852 Windows DWM Core Library Elevation of Privilege Vulnerability

This vulnerability is caused by an error in the DWM core library code which does not prevent overlays from being marked as read-only when they should be marked as read-write. As a result, any user with the ability to create or edit an overlay can change the permissions of the corresponding file. A local user with privileges to create or edit an X server’s configuration can exploit this flaw to escalate his/her access to system level privileges. To exploit this flaw, an attacker must be able to write to an affected DLL file. This can occur, for example, if an attacker has the ability to create a shortcut to an X server’s configuration on the local machine. In this scenario, the attacker has the ability to create an overlay which will be marked as read-only. An attacker with this ability can exploit this flaw to elevate their access to system level privileges. The DWM X server configuration is part of the X server’s global configuration. As such, this X server configuration can be changed via a system-level change. Therefore, a local user with the ability to create an X server shortcut can exploit this flaw to elevate their access to system level privileges. Workarounds There are workarounds available for CVE-2011-3087, however, they are not recommended due to their lack of reliability. Users who require reliability should consider using a different window manager.

Microsoft Windows and Microsoft DirectX

Microsoft Windows and Microsoft DirectX are a comprehensive set of technologies used by many computer applications to create, render and display graphics, videos, and other multimedia.
Microsoft Windows and Microsoft DirectX rely on the DWM core library which has multiple vulnerabilities that can be exploited by an attacker to gain elevated privileges. Microsoft has released MS15-018 for this vulnerability.

The CVE-2011-3087 vulnerability is caused in the DWM core library code which does not prevent overlays from being marked as read-only when they should be marked as read-write. As a result, any user with the ability to create or edit an overlay can change the permissions of the corresponding file. A local user with privileges to create or edit an X server’s configuration can exploit this flaw to escalate his/her access to system level privileges. To exploit this flaw, an attacker must be able to write to an affected DLL file. This can occur, for example, if an attacker has the ability to create a shortcut to an X server’s configuration on the local machine. In this scenario, the attacker has the ability to create an overlay which will be marked as read-only. An attacker with this ability can exploit this flaw to elevate their access to system level privileges. The DWM X server configuration is part of the X server’s global configuration. As such, this X server configuration can be changed via a system-level change. Therefore, a local user with the

Apache httpd 2.2.21 and earlier Remote Code Execution Vulnerability

A security vulnerability has been discovered in Apache httpd 2.2.21 and earlier that allows remote attackers to execute arbitrary code on the target system without authentication. This flaw is only exploitable when the apache_httpd binary is setuid to another user account. A local user can use this flaw to escalate their privileges to other users such as a root shell from within apache httpd by creating an overlapped file descriptor for the apache_httpd binary. This vulnerability does not allow for elevation of privileges outside of Linux, because it requires access to the apache_httpd binary which must be setuid-root in order for privilege escalation.

Mitigate Risk of CVE-2011-3087


The vulnerability can be mitigated by not running X11. To mitigate the risk, there are workarounds available which are not recommended due to their lack of reliability.

Vulnerability Details:

It is possible for a local user to change the permissions of an X server’s configuration file. This can allow the attacker to elevate their access to system level privileges.
To exploit this flaw, an attacker must be able to write to an affected DLL file.
There are workarounds available for CVE-2011-3087, however, they are not recommended due to their lack of reliability.

Impact of Vulnerability

This vulnerability allows an attacker to escalate their access to system level privileges on the local machine. This type of privilege escalation is not possible in a normal scenario, but would be possible if an attacker has a privileged account (such as root), or if they have been able to create a shortcut to the X server's configuration on their local machine.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe