CVE-2013-1300
published 2013-07-10CVE-2013-1300: win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1…
PriorityP272high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.18%
95.6th percentile
win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT does not properly handle objects in memory, which allows local users to gain privileges via a crafted application, aka "Win32k Memory Allocation Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit targets Windows 7 SP0/SP1 only (build 7600 unconditionally vulnerable; build 7601 vulnerable below revision 18176 on branch 18, or below revision 22348 on other branches). Check win32k.sys file version to triage. ↗
- →Exploit performs reflective DLL injection of schlamperei.x86.dll into a spawned notepad.exe process, then migrates payload into winlogon.exe. Monitor for notepad.exe spawning from unusual parents followed by cross-process access to winlogon.exe. ↗
- →Kernel shellcode nulls the ACL of winlogon.exe (SYSTEM process) to allow unprivileged migration. Detect unexpected process migration or handle opens targeting winlogon.exe with PROCESS_ALL_ACCESS from low-privilege processes. ↗
- →Post-exploitation indicator: winlogon.exe crash or instability after session exit is a behavioral artifact of this exploit's ACL nulling technique. ↗
- ·Exploit only supports x86 architecture; WOW64 and native x64 systems are explicitly rejected by the module. ↗
- ·Exploit requires an existing Meterpreter session (SessionTypes: meterpreter) and will abort if the session is already SYSTEM-level. ↗
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cxxm-972m-66mg: win32k
ghsa_unreviewed·2022-05-13
CVE-2013-1300 [HIGH] GHSA-cxxm-972m-66mg: win32k
win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT does not properly handle objects in memory, which allows local users to gain privileges via a crafted application, aka "Win32k Memory Allocation Vulnerability."
VulnCheck
Win32k Memory Allocation Vulnerability
vulncheck·2013·CVSS 7.2
CVE-2013-1300 [HIGH] Win32k Memory Allocation Vulnerability
Win32k Memory Allocation Vulnerability
win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT does not properly handle objects in memory, which allows local users to gain privileges via a crafted application, aka "Win32k Memory Allocation Vulnerability."
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://go.group-ib.com/hubfs/report/protected/group-ib-opera1er-full-threat-research-2022-en.pdf
Exploit PoC: https://vulncheck.com/xdb/81561865ba6b
No detection rules found.
Exploit-DB
Microsoft Windows - NTUserMessageCall Win32k Kernel Pool Overflow 'schlamperei.x86.dll' (MS13-053) (Metasploit)
exploitdb·2014-05-06
CVE-2013-1300 Microsoft Windows - NTUserMessageCall Win32k Kernel Pool Overflow 'schlamperei.x86.dll' (MS13-053) (Metasploit)
Microsoft Windows - NTUserMessageCall Win32k Kernel Pool Overflow 'schlamperei.x86.dll' (MS13-053) (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'rex'
class Metasploit3 'Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)',
'Description' => %q{
A kernel pool overflow in Win32k which allows local privilege escalation.
The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process).
This allows any unprivileged process to freely migrate to winlogon.exe, achieving
privilege escalation. Used in pwn2own 2013 by MWR to break out of chrome's sandbox.
NOTE: when you exit
Metasploit
Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)
metasploit
Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)
Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)
This module leverages a kernel pool overflow in Win32k which allows local privilege escalation. The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process). This allows any unprivileged process to freely migrate to winlogon.exe, achieving privilege escalation. This exploit was used in pwn2own 2013 by MWR to break out of chrome's sandbox. NOTE: when a meterpreter session started by this exploit exits, winlogin.exe is likely to crash.
No writeups or analysis indexed.
http://www.exploit-db.com/exploits/33213http://www.us-cert.gov/ncas/alerts/TA13-190Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-053https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17353http://www.exploit-db.com/exploits/33213http://www.us-cert.gov/ncas/alerts/TA13-190Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-053https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17353
2013-07-10
Published
Exploited in the wild