CVE-2013-3660
published 2013-05-24CVE-2013-3660: The EPATHOBJ::pprFlattenRec function in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2…
PriorityP186high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
39.58%
98.4th percentile
The EPATHOBJ::pprFlattenRec function in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, and Windows Server 2012 does not properly initialize a pointer for the next object in a certain list, which allows local users to obtain write access to the PATHRECORD chain, and consequently gain privileges, by triggering excessive consumption of paged memory and then making many FlattenPath function calls, aka "Win32k Read AV Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation of CVE-2013-3660 via repeated FlattenPath() GDI calls: monitor for processes making excessive NtGdiFlattenPath syscalls combined with PolyDraw() calls using large bezier point arrays (up to MAX_POLYPOINTS = 8192*3 points), which is the exploit trigger pattern. ↗
- →The Metasploit module for CVE-2013-3660 migrates into a hidden notepad.exe process before loading the exploit DLL. Detect: notepad.exe spawned hidden from a meterpreter session, followed by loading of a randomly-named DLL. ↗
- →Cryptowall post-exploitation: detect execution of vssadmin.exe with 'Delete Shadows /All /Quiet' and bcdedit.exe modifying boot recovery settings — these commands are executed as a batch by the malware to destroy recovery options. ↗
- →Cryptowall uses outbound HTTP GET requests to wtfismyip.com/text, ip-addr.es, myexternalip.com/raw, and curlmyip.com for external IP discovery — alert on these requests originating from non-browser processes in enterprise environments. ↗
- →Cryptowall establishes SSL connections to .onion C2 domains (crptarv4hcu24ijv.onion, crptbfoi5i54ubez.onion, crptcj7wd4oaafdl.onion) on ports 443 or 9090 using random server names in certificates but with consistent client certificate commonalities — monitor for anomalous TLS client certificates to .onion addresses. ↗
- →Cryptowall persistence: detect a RunOnce registry value prefixed with '*' (asterisk) under HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce — this prefix forces execution even in Safe Mode and is a distinctive malware indicator. ↗
- ·The Metasploit module for CVE-2013-3660 only supports 32-bit (x86) targets and will explicitly fail against WOW64 and native 64-bit systems, despite the vulnerability existing on 64-bit Windows. ↗
- ·The Cryptowall dropper's CVE-2013-3660 exploit works on 32-bit OSes starting from Vista, but a separate embedded 64-bit DLL is used to trigger the exploit on AMD64 systems — detection logic must account for both execution paths. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f2wh-c6mm-3vrx: The EPATHOBJ::pprFlattenRec function in win32k
ghsa_unreviewed·2022-05-14
CVE-2013-3660 [MEDIUM] CWE-119 GHSA-f2wh-c6mm-3vrx: The EPATHOBJ::pprFlattenRec function in win32k
The EPATHOBJ::pprFlattenRec function in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, and Windows Server 2012 does not properly initialize a pointer for the next object in a certain list, which allows local users to obtain write access to the PATHRECORD chain, and consequently gain privileges, by triggering excessive consumption of paged memory and then making many FlattenPath function calls, aka "Win32k Read AV Vulnerability."
VulnCheck
Microsoft Win32k Privilege Escalation Vulnerability
vulncheck·2013·CVSS 7.8
CVE-2013-3660 [HIGH] CWE-119 Microsoft Win32k Privilege Escalation Vulnerability
Microsoft Win32k Privilege Escalation Vulnerability
The EPATHOBJ::pprFlattenRec function in win32k.sys in the kernel-mode drivers in Microsoft does not properly initialize a pointer for the next object in a certain list, which allows local users to gain privileges.
Affected: Microsoft Win32k
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://blog.talosintelligence.com/2015/01/ransomware-on-steroids-cryptowall-20.html; https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf; https://www.welivesecurity.com/2015/04/09/operation-buhtrap/; https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf; https://dl.acm.org/doi/pdf/10.1145/3465481.3465758; https://www.cisa.g
CISA
Microsoft Win32k Privilege Escalation Vulnerability
cisa·2022-03-28·CVSS 7.8
CVE-2013-3660 [HIGH] CWE-119 Microsoft Win32k Privilege Escalation Vulnerability
Vulnerability: Microsoft Win32k Privilege Escalation Vulnerability
Affected: Microsoft Win32k
The EPATHOBJ::pprFlattenRec function in win32k.sys in the kernel-mode drivers in Microsoft does not properly initialize a pointer for the next object in a certain list, which allows local users to gain privileges.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-3660
Remediation Due Date: 2022-04-18
No detection rules found.
Exploit-DB
Microsoft Windows - 'EPATHOBJ::pprFlattenRec' Local Privilege Escalation (Metasploit)
exploitdb·2013-07-02
CVE-2013-3661 Microsoft Windows - 'EPATHOBJ::pprFlattenRec' Local Privilege Escalation (Metasploit)
Microsoft Windows - 'EPATHOBJ::pprFlattenRec' Local Privilege Escalation (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/windows/priv'
require 'msf/core/post/windows/process'
class Metasploit3 'Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation',
'Description' => %q{
This module exploits a vulnerability on EPATHOBJ::pprFlattenRec due to the usage
of uninitialized data which allows to corrupt memory. At the moment, the module has
been tested successfully on Windows XP SP3, Windows 2003 SP1, a
Exploit-DB
Microsoft Windows NT/2000/2003/2008/XP/Vista/7/8 - 'EPATHOBJ' Local Ring
exploitdb·2013-06-03
CVE-2013-3661 Microsoft Windows NT/2000/2003/2008/XP/Vista/7/8 - 'EPATHOBJ' Local Ring
Microsoft Windows NT/2000/2003/2008/XP/Vista/7/8 - 'EPATHOBJ' Local Ring
---
#ifndef WIN32_NO_STATUS
# define WIN32_NO_STATUS
#endif
#include
#include
#include
#include
#include
#ifdef WIN32_NO_STATUS
# undef WIN32_NO_STATUS
#endif
#include
#pragma comment(lib, "gdi32")
#pragma comment(lib, "kernel32")
#pragma comment(lib, "user32")
#pragma comment(lib, "shell32")
#pragma comment(linker, "/SECTION:.text,ERW")
#ifndef PAGE_SIZE
# define PAGE_SIZE 0x1000
#endif
#define MAX_POLYPOINTS (8192 * 3)
#define MAX_REGIONS 8192
#define CYCLE_TIMEOUT 10000
//
// --------------------------------------------------
// Windows NT/2K/XP/2K3/VISTA/2K8/7/8 EPATHOBJ local ring0 exploit
// ----------------------------------------- taviso () cmpxchg8b com -----
//
// INTRODUCTION
//
// There's a pretty ob
Exploit-DB
Microsoft Windows - Win32k!EPATHOBJ::pprFlattenRec Uninitialized Next Pointer Testcase
exploitdb·2013-05-21
CVE-2013-3661 Microsoft Windows - Win32k!EPATHOBJ::pprFlattenRec Uninitialized Next Pointer Testcase
Microsoft Windows - Win32k!EPATHOBJ::pprFlattenRec Uninitialized Next Pointer Testcase
---
I'm quite proud of this list cycle trick, here's how to turn it into an
arbitrary write.
First, we create a watchdog thread that will patch the list atomically
when we're ready. This is needed because we can't exploit the bug while
HeavyAllocPool is failing, because of the early exit in pprFlattenRec:
.text:BFA122B8 call newpathrec ; EPATHOBJ::newpathrec(_PATHRECORD * *,ulong *,ulong)
.text:BFA122BD cmp eax, 1 ; Check for failure
.text:BFA122C0 jz short continue
.text:BFA122C2 xor eax, eax ; Exit early
.text:BFA122C4 jmp early_exit
So we create a list node like this:
PathRecord->Next = PathRecord;
PathRecord->Flags = 0;
Then EPATHOBJ::bFlatten() spins forever doing nothing:
BOOL __thiscall EP
Metasploit
Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation
metasploit
Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation
Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation
This module exploits a vulnerability on EPATHOBJ::pprFlattenRec due to the usage of uninitialized data which allows to corrupt memory. At the moment, the module has been tested successfully on Windows XP SP3, Windows 2003 SP1, and Windows 7 SP1.
Checkpoint
Exploit Developer Spotlight: The Story of PlayBit
blogs_checkpoint·2020-10-26·CVSS 7.8
CVE-2018-8453 [HIGH] Exploit Developer Spotlight: The Story of PlayBit
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Exploit Developer Spotlight: The Story of PlayBit
Research By: Eyal Itkin and Itay Cohen
## Introduction
Exploits have always been an important and integral part of malicious attacks.
Checkpoint
Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
blogs_checkpoint·2020-10-02
CVE-2019-0859 Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
Research by: Itay Cohen, Eyal Itkin
In the past months, our Vulnerability and Malware Research tea
Talos
Ransomware on Steroids: Cryptowall 2.0
blogs_talos·2015-01-06·CVSS 7.8
[HIGH] Ransomware on Steroids: Cryptowall 2.0
This post was authored by Andrea Allievi and Earl Carter.
Ransomware holds a user’s data hostage. The latest ransomware variants encrypt the user’s data, thus making it unusable until a ransom is paid to retrieve the decryption key. The latest Cryptowall 2.0, utilizes TOR to obfuscate the command and control channel. The dropper utilizes multiple exploits to gain initial access and incorporates anti-vm and anti-emulation checks to hamper identification via sandboxes. The dropper and downloaded Cryptowall binary actually incorporate multiple levels of encryption. One of the most interesting aspects of this malware sample, however, is its capability to run 64 bit code directly from its 32 bit dropper. Under the Windows 32-bit on Windows 64-bit (WOW64) environment, it is indeed able to switc
Talos
Ransomware on Steroids: Cryptowall 2.0
blogs_talos·2015-01-06·CVSS 7.8
[HIGH] Ransomware on Steroids: Cryptowall 2.0
## Ransomware on Steroids: Cryptowall 2.0
This post was authored by Andrea Allievi and Earl Carter .
Ransomware holds a user’s data hostage. The latest ransomware variants encrypt the user’s data, thus making it unusable until a ransom is paid to retrieve the decryption key. The latest Cryptowall 2.0, utilizes TOR to obfuscate the command and control channel. The dropper utilizes multiple exploits to gain initial access and incorporates anti-vm and anti-emulation checks to hamper identification via sandboxes. The dropper and downloaded Cryptowall binary actually incorporate multiple levels of encryption. One of the most interesting aspects of this malware sample, however, is its capability to run 64 bit code directly from its 32 bit dropper. Under the Windows 32-bit on Windows 64-bit (WO
Krebs
Adobe, Microsoft Release Critical Updates
blogs_krebs·2013-07-09·CVSS 7.8
[HIGH] Adobe, Microsoft Release Critical Updates
Patch Tuesday is upon us once again. Adobe today pushed out security fixes for its Flash and Shockwave media players. Separately, Microsoft released seven patch bundles addressing at least 34 vulnerabilities in Microsoft Windows and other software. At least one of the Windows flaws is already being exploited in active attacks.
Six of the seven Microsoft patches released today earned the company’s most dire “critical” rating, meaning the patches plug security holes that could be exploited by malware or miscreants with no help from PC users, save for visiting a hacked site or opening a specially crafted document.
Microsoft and security experts are calling special attention to MS13-053, which fixes at least eight flaws in Windows’ implementation of TrueType font files. These critical TrueTy
Krebs
Adobe, Microsoft Release Critical Updates – Krebs on Security
blogs_krebs·2013-07-01·CVSS 7.8
[HIGH] Adobe, Microsoft Release Critical Updates – Krebs on Security
Patch Tuesday is upon us once again. Adobe today pushed out security fixes for its Flash and Shockwave media players. Separately, Microsoft released seven patch bundles addressing at least 34 vulnerabilities in Microsoft Windows and other software. At least one of the Windows flaws is already being exploited in active attacks.
Six of the seven Microsoft patches released today earned the company’s most dire “critical” rating, meaning the patches plug security holes that could be exploited by malware or miscreants with no help from PC users, save for visiting a hacked site or opening a specially crafted document.
Microsoft and security experts are calling special attention to MS13-053 , which fixes at least eight flaws in Windows’ implementation of TrueType font files . These critical True
Threat Intel
FIN6 (FIN6, Magecart Group 6, ITG08)
threat_intel
FIN6 (FIN6, Magecart Group 6, ITG08)
# Threat Actor Profile: FIN6
ATT&CK ID: G0037
Also known as: FIN6, Magecart Group 6, ITG08, Skeleton Spider, TAAL, Camouflage Tempest
## Overview
FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)
## Techniques (TTPs)
### Resource Development
- T1588.002 Tool
Usage: FIN6 has obtained and used tools such as Mimikatz, Cobalt Strike, and AdFind.(Citation: Security Intelligence More Eggs Aug 2019)(Citation: FireEye FIN6 Apr 2019)
### Initial Access
- T1566.001 Spearphishing Attachment
Usage: FIN6 has targeted victims with e-mails containing ma
arXiv
Technical Aspects of Cyber Kill Chain
arxiv_fulltext·2016-06-10
Technical Aspects of Cyber Kill Chain
Technical Aspects of Cyber Kill Chain
Tarun Yadav
Scientist, Defence Research and\ Organisation, INDIA\ : [email protected]
Rao Arvind Mallari
Scientist, Defence Research and\ Organisation, INDIA\ :[email protected]
## Abstract
Recent trends in targeted cyber-attacks has increased the interest of research in the field of cyber security. Such attacks have massive disruptive effects on organizations, enterprises and governments. Cyber kill chain is a model to describe cyber-attacks so as to develop incident response and analysis capabilities. Cyber kill chain in simple terms is an attack chain, the path that an intruder takes to penetrate information systems over time to execute an attack on the target. This paper broadly categories the methodologies, techniques and tools involv
http://archives.neohapsis.com/archives/fulldisclosure/2013-05/0090.htmlhttp://archives.neohapsis.com/archives/fulldisclosure/2013-05/0094.htmlhttp://archives.neohapsis.com/archives/fulldisclosure/2013-06/0006.htmlhttp://secunia.com/advisories/53435http://twitter.com/taviso/statuses/309157606247768064http://twitter.com/taviso/statuses/335557286657400832http://www.computerworld.com/s/article/9239477http://www.exploit-db.com/exploits/25611/http://www.osvdb.org/93539http://www.reddit.com/r/netsec/comments/1eqh66/0day_windows_kernel_epathobj_vulnerability/http://www.theverge.com/2013/5/23/4358400/google-engineer-bashes-microsoft-discloses-windows-flawhttp://www.us-cert.gov/ncas/alerts/TA13-190Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-053https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17360http://archives.neohapsis.com/archives/fulldisclosure/2013-05/0090.htmlhttp://archives.neohapsis.com/archives/fulldisclosure/2013-05/0094.htmlhttp://archives.neohapsis.com/archives/fulldisclosure/2013-06/0006.htmlhttp://secunia.com/advisories/53435http://twitter.com/taviso/statuses/309157606247768064http://twitter.com/taviso/statuses/335557286657400832http://www.computerworld.com/s/article/9239477http://www.exploit-db.com/exploits/25611/http://www.osvdb.org/93539http://www.reddit.com/r/netsec/comments/1eqh66/0day_windows_kernel_epathobj_vulnerability/http://www.theverge.com/2013/5/23/4358400/google-engineer-bashes-microsoft-discloses-windows-flawhttp://www.us-cert.gov/ncas/alerts/TA13-190Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-053https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17360https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-3660
2013-05-24
Published
2022-03-28
Added to CISA KEV
Exploited in the wild