Micropatches for Windows COM+ Event System Service Elevation of Privilege Vulnerability (CVE-2022-41033)

 

October 2022 Windows Updates brought a fix for CVE-2022-41033, a local privilege escalation vulnerability in Windows COM+ Event System Service. The vulnerability was reported to Microsoft by an anonymous source, but subsequently James Forshaw of Google Project Zero published their analysis, which included proof of concept code.

This "type confusion" vulnerability allows a local low-privileged attacker to provide a memory address of their choosing to vulnerable code. The POC demonstrates reading from such address (and crashes the Event System Service process as a result) but this issue was reported as exploited in the wild, so attackers must have successfully turned it into a privilege escalation.

While still-supported Windows systems have already received the official vendor fix for this vulnerability (assuming admins have applied the October 2022 or later Windows Update), there are Windows systems out there that aren't receiving security fixes from Microsoft anymore. In order to protect these systems, we have created our own micropatches for this vulnerability, which are available through the 0patch service.

Our patches are logically equivalent to Microsoft's patches for this issue.

MODULE_PATH "..\AffectedModules\es.dll_10.0.19041.572_Win10_2004_64bit_u202212\es.dll"
PATCH_ID 1310
PATCH_FORMAT_VER 2
VULN_ID 7646
PLATFORM win64

patchlet_start
PATCHLET_ID 1
PATCHLET_TYPE 2
PATCHLET_OFFSET 0xe669
JUMPOVERBYTES 0
N_ORIGINALBYTES 5
PIT es.dll!0x24eaa

code_start
       
    cmp word[r8], 0x101f    ;check if Names.vt == (VT_VECTOR | VT_LPWSTR)
    jne ERROR               ;if not, report error
    cmp word[r9], 0x100c    ;check if Values.vt == (VT_VECTOR | VT_VARIANT)
    jne ERROR               ;if not, report error
    mov eax, dword[r9+0x8]  ;move Names->calpwstr.cElems to eax for cmp
    cmp dword[r8+0x8], eax  ;compare Names->calpwstr.cElems == Values->capropvar.cElems
    jne ERROR               ;if not equal, report error
    jmp SUCCESS             ;if all checks pass, continue with normal execution
       
ERROR:
    jmp PIT_0x24eaa         ;in case of error jump to the block that returns 0x80070057
           
SUCCESS:
           
    code_end
patchlet_end

 

Let's see our micropatch in action. With 0patch disabled, the POC immediately crashes the Event System Service. With 0patch enabled, the attack doesn't work anymore because the invalid type is detected and blocked by our patch.

Micropatch Availability

The micropatch was written for the following security-adopted versions of Windows with all available Windows Updates installed:

1. Windows 10 v2004
2. Windows 10 v1909
3. Windows 10 v1809
4. Windows 10 v1803

 

Note that Windows 7 and Server 2008 R2 are not affected by this vulnerability, and Windows 10 v21H1 was still receiving official Windows Updates in October 2022, and therefore doesn't need out patch.

This micropatch has already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that). 

Vulnerabilities like this one get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

To learn more about 0patch, please visit our Help Center. 

We'd like to thank James Forshaw of Google Project Zero for sharing their POC, which allowed us to create a micropatch and protect our users against this attack. We also encourage all security researchers to privately share their analyses with us for micropatching.