Exposed Win32k Windows Vulnerability, Researchers Share Proof-of-Concept Exploit

Exposed Win32k Windows Vulnerability, Researchers Share Proof-of-Concept Exploit

Premium Content

Subscribe to Patreon to watch this episode.
Reading Time: 3 Minutes

In a significant development, researchers have unveiled a proof-of-concept (PoC) exploit for a Windows local privilege escalation vulnerability. This particular flaw, which was recently patched as part of the May 2023 Patch Tuesday, was actively exploited by threat actors. Tracked as CVE-2023-29336, the vulnerability was initially discovered by cybersecurity firm Avast and was assigned a CVSS v3.1 severity rating of 7.8. By exploiting this vulnerability, low-privileged users could gain elevated Windows SYSTEM privileges, the highest user mode privileges in the Windows operating system.

Avast, the discoverer of the vulnerability, confirmed that it was actively exploited as a zero-day in attacks. However, the specific details of the exploitation remain undisclosed. To raise awareness about this actively exploited flaw and emphasize the importance of applying Windows security updates, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert and included it in its “Known Exploited Vulnerabilities” catalog.

Now, a month after the patch’s release, cybersecurity firm Numen has released comprehensive technical details regarding the CVE-2023-29336 vulnerability. Additionally, they have shared a PoC exploit specifically targeting Windows Server 2016. It is worth noting that Microsoft has stated that the vulnerability only affects older versions of Windows, such as older Windows 10 versions, Windows Server, and Windows 8, and does not impact Windows 11.

See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses

Through their analysis, Numen researchers discovered that the Win32k subsystem, responsible for managing various aspects of the operating system’s user interface, failed to lock the nested menu object, leaving it vulnerable to tampering. By manipulating the system memory, attackers could gain control over the menu object, allowing them to execute code at the same privilege level as the program that launched it. Although the initial step might not grant attackers admin-level privileges, it serves as a launching pad for subsequent actions to achieve that goal.

By experimenting with memory layout manipulation methods, exploit triggers, and memory read/write system functions, Numen researchers successfully developed a PoC that reliably elevated privileges to the SYSTEM level.

According to the researchers, exploiting CVE-2023-29336 does not present significant challenges beyond exploring different methods to gain control over the initial write operation. However, the vulnerability heavily relies on leaked desktop heap handle addresses, which must be adequately addressed to mitigate the security risk on older systems.

In light of these findings, system administrators are advised to remain vigilant for any abnormal offset reads and writes in memory, particularly related to window objects. Such activities may indicate active exploitation of CVE-2023-29336 for local privilege escalation.

To safeguard against this vulnerability and other critical issues, it is strongly recommended that all Windows users promptly apply the May 2023 patch. Notably, this patch addresses not only the aforementioned flaw but also two additional zero-day vulnerabilities that were actively exploited by hackers.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote:


Source Link

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

The post Exposed Win32k Windows Vulnerability, Researchers Share Proof-of-Concept Exploit first appeared on Black Hat Ethical Hacking.

About The Author