Researchers have released a proof-of-concept (PoC) exploit for an actively exploited Windows local privilege escalation vulnerability fixed as part of the May 2023 Patch Tuesday.
The Win32k subsystem (Win32k.sys kernel driver) manages the operating system’s window manager, screen output, input, and graphics, and acts as an interface between various types of input hardware.
As such, exploiting these types of vulnerabilities tends to provide elevated privileges or code execution.
The vulnerability is tracked as CVE-2023-29336 and was originally discovered by cybersecurity firm Avast. It was assigned a CVSS v3.1 severity rating of 7.8 as it allows low-privileged users to gain Windows SYSTEM privileges, the highest user mode privileges in Windows
Avast says they discovered the vulnerability after it was actively exploited as a zero-day in attacks. However, the company has declined to share further details with BleepingComputer, so it is unclear how it was abused.
To raise awareness about the actively exploited flaw, and the need to apply Windows security updates, CISA also published an alert and added it to its “Known Exploited Vulnerabilities” catalog.
Exactly a month after the patch became available, security analysts at Web3 cybersecurity firm Numen have now released full technical details on the CVE-2023-29336 flaw and a PoC exploit for Windows Server 2016.
Re-discovering the flaw
While the vulnerability is actively exploited, Microsoft says it only affects older versions of Windows, including older Windows 10 versions, Windows Server, and Windows 8, and does not affect Windows 11.
“While this vulnerability seems to be non-exploitable on the Win11 system version, it poses a significant risk to earlier systems,” Numen explains in their report.
“Exploitation of such vulnerabilities has a notorious track record, and in this in-depth analysis, we delve into the methods employed by threat actors to exploit this specific vulnerability, taking into account evolving mitigation measures.”
By analyzing the vulnerability on Windows Server 2016, Numen’s researchers found that Win32k only locks the window object but fails to lock the nested menu object.
This omission, which the researchers say results from obsolete code being copied over to newer Win32k versions, leaves menu objects vulnerable to tampering or hijacks if attackers alter the specific address in the system memory.
Taking control of the menu object means gaining the same-level access as the program that launched it, but even if the first step doesn’t get attackers to admin-level privileges, it is an effective springboard to help achieve this via subsequent steps.
The researchers experimented with various memory layout manipulation methods, exploit triggers, and memory read/write system functions and eventually developed a working PoC that would produce reliable elevation to SYSTEM privileges.
More technical details about this process are available in the Numen report, and a demonstration of the PoC is shown below.
The overall conclusion is that the exploitation of CVE-2023-29336 isn’t particularly challenging.
“Apart from diligently exploring different methods to gain control over the first write operation using the reoccupied data from freed memory, there is typically no need for novel exploitation techniques,” reads the report.
“This type of vulnerability heavily relies on leaked desktop heap handle addresses […], and if this issue is not thoroughly addressed, it remains a security risk for older systems.”
Numen suggests that system admins should be on the lookout for abnormal offset reads and writes in memory or related to window objects, which might indicate active exploitation of CVE-2023-29336 for local privilege escalation.
It is recommended that all Windows users apply the May 2023 patch, which, apart from the particular flaw, fixed two more zero-day vulnerabilities that hackers actively exploited.