Researchers published PoC exploit code for actively exploited Windows elevation of privilege issue

Researchers published an exploit for an actively exploited Microsoft Windows vulnerability tracked as CVE-2023-29336.

The Microsoft Windows vulnerability CVE-2023-29336 (CVSS score 7.8) is an elevation of privilege issue that resides in the Win32k component. Win32k.sys is a system driver file in the Windows operating system. The driver is responsible for providing the interface between user-mode applications and the Windows graphical subsystem.

The vulnerability is actively exploited in attacks. The issue can be chained with a code execution bug to spread malware. The vulnerability was reported by researchers Jan Vojtěšek, Milánek, and Luigino Camastra from Avast Antivirus firm. The researchers believe this flaw was used as part of an exploit chain to deliver malware.

“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.” reads the advisory.

Microsoft addressed the issue with the release of Patch Tuesday security updates for May 2023.

Win32k.sys is loaded into memory during the system startup and remains active throughout the operating system’s runtime. A flaw in the Win32k.sys driver can be exploited by attackers to gain unauthorized access to a system.

Researchers from Singapore-based cybersecurity firm Numen Cyber have published a detailed analysis of the vulnerability along with a proof-of-concept (PoC) exploit that works against Windows Server 2016.

The experts pointed out that this vulnerability seems to be non-exploitable on the Windows 11 systems, however, it poses a significant risk to earlier systems.

“It appears that the previous code implementation focused solely on locking the window object, inadvertently neglecting to lock the menu object nested within the window object.” reads the analysis published by the experts.

The analysis of the code revealed that the previous code implementation was only locking the window object, failing to secure the menu object contained within the window object

The experts explained that this type of vulnerability relied on leaked desktop heap handle addresses in the heap memory.

Below is a video demonstrating how the exploit works on Windows Server 2016.

“Exploiting this particular vulnerability does not generally pose significant challenges. Apart from diligently exploring different methods to gain control over the first write operation using the reoccupied data from freed memory, there is typically no need for novel exploitation techniques. This type of vulnerability heavily relies on leaked desktop heap handle addresses.” concludes the flaw. “While there may have been some modifications, if this issue is not thoroughly addressed, it remains a security risk for older systems.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Kimsuky)