For a Windows local privilege escalation vulnerability that was patched as part of the May 2023 Patch Tuesday, researchers have published a proof-of-concept (PoC) exploit.
The Win32k subsystem (Win32k.sys kernel driver) controls the operating system's window manager and handles screen output, input, and graphics in addition to serving as an interface for various types of input hardware.
Since they usually grant elevated rights or code execution, these kinds of vulnerabilities are often exploited.
Avast, a company that specialises in cybersecurity, first identified the flaw, which is tracked as CVE-2023-29336. It was given a CVSS v3.1 severity rating of 7.8, as it enables low-privileged users to obtain Windows SYSTEM privileges, the highest user mode privileges in Windows.
CISA also released a warning and listed it in its database of "Known Exploited Vulnerabilities" in order to inform people about the actively exploited vulnerability and the importance of installing Windows security upgrades.
Security researchers at Web3 cybersecurity company Numen have now published comprehensive technical information on the CVE-2023-29336 bug and a Proof of Concept exploit for Windows Server 2016 exactly one month after the patch became accessible.
Re-discovering the vulnerability
Although the flaw is being actively used against previous versions of Windows, including Windows 8, Windows Server, and earlier versions of Windows 10, Microsoft claims that Windows 11 is unaffected.
"While this vulnerability seems to be non-exploitable on the Win11 system version, it poses a significant risk to earlier systems," Numen explained in their report. "Exploitation of such vulnerabilities has a notorious track record, and in this in-depth analysis, we delve into the methods employed by threat actors to exploit this specific vulnerability, taking into account evolving mitigation measures."
Win32k only locks the window object but fails to lock the nested menu object, according to Numen's researchers who examined the vulnerability on Windows Server 2016.
This oversight, which the researchers attribute to out-of-date code being transferred to more recent Win32k versions, makes menu objects susceptible to manipulation or hijacking if attackers change the precise address in the system memory.
Even if the initial step doesn't provide attackers admin-level rights, it serves as a useful stepping stone to enable them to obtain this via the following steps. Controlling the menu object means gaining the same-level access as the programme that launched it.
Overall, it can be said that it's not extremely difficult to exploit CVE-2023-29336.
"Apart from diligently exploring different methods to gain control over the first write operation using the reoccupied data from freed memory, there is typically no need for novel exploitation techniques," the report further reads. "This type of vulnerability heavily relies on leaked desktop heap handle addresses […], and if this issue is not thoroughly addressed, it remains a security risk for older systems."
System administrators, according to Numen, should watch out for unusual offset reads and writes in memory or connected to window objects, as these could point to active CVE-2023-29336 privilege escalation.
Applying the May 2023 patch is advised for all Windows users as it corrected two additional active zero-day vulnerabilities in addition to the specific issue.
