CVE-2021-1732: 
vulnerability analysis and mitigation

CVE-2021-1732 is a Windows Win32k Elevation of Privilege vulnerability that was discovered in late 2020 and patched in February 2021. This kernel-level vulnerability affects Windows 10 64-bit operating systems, including the latest version Windows 10 20H2. The vulnerability was actively exploited in the wild by the Bitter APT group (also known as T-APT-17), primarily targeting countries in Asia (Cyble Blog).

The vulnerability exists in the win32kfull.sys component and stems from the ClientAllocWindowClassExtraBytes callback in win32kfull!CreateWindowEx. The issue occurs when the callback causes a kernel struct member and flag to become out of sync. The exploit involves calling NtUserConsoleControl with a window handle in a custom callback, which changes a kernel struct member to offset while its flag indicates the member as an offset. When NtCallbackReturn is called, it returns an arbitrary value that overwrites the previous offset member, but the corresponding flag remains unchanged. This unchecked offset value is then used by the kernel code for heap memory addressing, resulting in out-of-bounds access (Cyble Blog).

When successfully exploited, this vulnerability allows an attacker to escalate privileges from a medium integrity level to system integrity level on the affected system. This means an attacker could gain elevated system privileges and execute arbitrary code with kernel-level access (Cyble Blog).

Microsoft released a security update to address this vulnerability in the February 2021 security update. Users are strongly advised to apply the latest security patches to mitigate this vulnerability (Krebs on Security).