cbcvebase.
CVE-2013-3660
published 2013-05-24

CVE-2013-3660: The EPATHOBJ::pprFlattenRec function in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2…

PriorityP186high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
39.58%
98.4th percentile
The EPATHOBJ::pprFlattenRec function in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, and Windows Server 2012 does not properly initialize a pointer for the next object in a certain list, which allows local users to obtain write access to the PATHRECORD chain, and consequently gain privileges, by triggering excessive consumption of paged memory and then making many FlattenPath function calls, aka "Win32k Read AV Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008

Detection & IOCsextracted from sources · hover to see the quote

hashF31B1C58E0110B407EF1F99F2C8A5A63
hash0483900fea2f27028ca0971729422b903c5e75542b93c9fa3377c5a201f7c31c
domaincrptarv4hcu24ijv.onion
domaincrptbfoi5i54ubez.onion
domaincrptcj7wd4oaafdl.onion
port443
port9090
urlhttp://wtfismyip.com/text
urlhttp://ip-addr.es
urlhttp://myexternalip.com/raw
urlhttp://curlmyip.com
registryHKCU\Software\Microsoft\Windows\CurrentVersion\Run
commandvssadmin.exe Delete Shadows /All /Quiet
commandbcdedit.exe /set {default} recoveryenabled No
commandbcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
pathdata/exploits/cve-2013-3660/exploit.dll
  • Detect exploitation of CVE-2013-3660 via repeated FlattenPath() GDI calls: monitor for processes making excessive NtGdiFlattenPath syscalls combined with PolyDraw() calls using large bezier point arrays (up to MAX_POLYPOINTS = 8192*3 points), which is the exploit trigger pattern.
  • The Metasploit module for CVE-2013-3660 migrates into a hidden notepad.exe process before loading the exploit DLL. Detect: notepad.exe spawned hidden from a meterpreter session, followed by loading of a randomly-named DLL.
  • Cryptowall post-exploitation: detect execution of vssadmin.exe with 'Delete Shadows /All /Quiet' and bcdedit.exe modifying boot recovery settings — these commands are executed as a batch by the malware to destroy recovery options.
  • Cryptowall uses outbound HTTP GET requests to wtfismyip.com/text, ip-addr.es, myexternalip.com/raw, and curlmyip.com for external IP discovery — alert on these requests originating from non-browser processes in enterprise environments.
  • Cryptowall establishes SSL connections to .onion C2 domains (crptarv4hcu24ijv.onion, crptbfoi5i54ubez.onion, crptcj7wd4oaafdl.onion) on ports 443 or 9090 using random server names in certificates but with consistent client certificate commonalities — monitor for anomalous TLS client certificates to .onion addresses.
  • Cryptowall persistence: detect a RunOnce registry value prefixed with '*' (asterisk) under HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce — this prefix forces execution even in Safe Mode and is a distinctive malware indicator.
  • ·The Metasploit module for CVE-2013-3660 only supports 32-bit (x86) targets and will explicitly fail against WOW64 and native 64-bit systems, despite the vulnerability existing on 64-bit Windows.
  • ·The Cryptowall dropper's CVE-2013-3660 exploit works on 32-bit OSes starting from Vista, but a separate embedded 64-bit DLL is used to trigger the exploit on AMD64 systems — detection logic must account for both execution paths.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.