CVE-2021-40449漏洞分析

0x00漏洞信息

漏洞影响:本地提权

漏洞文件:win32kfull.sys

漏洞函数:GreResetDCInternal

漏洞原因:释放重引用

漏洞日期:2021年 10月12号

【漏洞分析合集】

0x01漏洞分析

利用链

00 fffffe0b`1b6d1318 ffffd058`52015fac win32kfull!pppUserModeCallback  回到3环 释放dc 造成释放重引用
01 fffffe0b`1b6d1320 ffffd058`52014ec1 win32kfull!ClientPrinterThunk+0x68
02 fffffe0b`1b6d1360 ffffd058`5210720d win32kfull!UMPDOBJ::Thunk+0x6d
03 fffffe0b`1b6d13d0 ffffd058`523d4ecb win32kfull!UMPDDrvEnablePDEV+0x2ad
04 fffffe0b`1b6d1550 ffffd058`523d5771 win32kbase!PDEVOBJ::EnablePDEV+0x7f
05 fffffe0b`1b6d15c0 ffffd058`523f0518 win32kbase!PDEVOBJ::PDEVOBJ+0x1e1
06 fffffe0b`1b6d1850 ffffd058`5212eeaf win32kbase!hdcOpenDCW+0x298
07 fffffe0b`1b6d1950 ffffd058`5212ed3a win32kfull!GreResetDCInternal+0x10f
08 fffffe0b`1b6d1a10 fffff800`a55fc553 win32kfull!NtGdiResetDC+0xca
09 fffffe0b`1b6d1a90 00007ffc`022c6aa4 nt!KiSystemServiceCopyEnd+0x13
0a 00000004`77b6fc48 00007ffc`0215f0ae win32u!NtGdiResetDC+0x14
0b 00000004`77b6fc50 00007ffc`0218ff8d gdi32full!ResetDCWInternal+0x15e
0c 00000004`77b6fd50 00007ff7`50171ecb gdi32full!ResetDCA+0x3d

0x02参考链接

https://blog.csdn.net/qq_41252520/article/details/123716934

https://bbs.pediy.com/thread-269930.htm

https://www.anquanke.com/post/id/260841

https://xz.aliyun.com/t/10979?page=1#toc-1

posted @ 2022-06-01 14:17  紅人  阅读(189)  评论(0编辑  收藏  举报