A proof-of-concept (PoC) exploit has been made public for a Windows local privilege escalation vulnerability that has been actively exploited. The vulnerability, identified as CVE-2023-29336, was fixed during the May 2023 Patch Tuesday. The Win32k subsystem (Win32k.sys kernel driver) is responsible for managing the window manager, screen output, input, and graphics of the operating system, as well as acting as an interface between various input hardware. Exploiting such vulnerabilities often leads to elevated privileges or code execution.
Cybersecurity firm Avast initially discovered the vulnerability and was assigned a CVSS v3.1 severity rating of 7.8, as it allows low-privileged users to obtain Windows SYSTEM privileges, the highest user mode privileges in Windows. Avast revealed that the vulnerability was being actively exploited as a zero-day in attacks, but declined to share further details. The Cybersecurity and Infrastructure Security Agency (CISA) published an alert to raise awareness about the actively exploited flaw and added it to its "Known Exploited Vulnerabilities" catalog.
A month after the patch became available, security analysts at Web3 cybersecurity firm Numen released full technical details on the CVE-2023-29336 flaw and a PoC exploit for Windows Server 2016. Microsoft states that the vulnerability only affects older versions of Windows, including older Windows 10 versions, Windows Server, and Windows 8, and does not impact Windows 11. Numen explains in their report, "While this vulnerability seems to be non-exploitable on the Win11 system version, it poses a significant risk to earlier systems."
Numen researchers analyzed the vulnerability on Windows Server 2016 and found that Win32k only locks the window object but fails to lock the nested menu object. They claim that this omission, which results from obsolete code being copied over to newer Win32k versions, leaves menu objects open to tampering or hijacks if attackers modify the specific address in the system memory. Gaining control of the menu object means acquiring the same-level access as the program that launched it. Even if the first step doesn't grant attackers admin-level privileges, it serves as an effective springboard for achieving this through subsequent steps.
The researchers developed a working PoC that would reliably elevate to SYSTEM privileges after experimenting with various memory layout manipulation methods, exploit triggers, and memory read/write system functions. The Numen report provides more technical details about this process. The researchers conclude that exploiting CVE-2023-29336 isn't particularly challenging, stating, "This type of vulnerability heavily relies on leaked desktop heap handle addresses […], and if this issue is not thoroughly addressed, it remains a security risk for older systems." Numen recommends that system admins watch for abnormal offset reads and writes in memory or related to window objects, which might indicate active exploitation of CVE-2023-29336 for local privilege escalation. All Windows users are advised to apply the May 2023 patch, which also fixed two more zero-day vulnerabilities that hackers actively exploited.