cbcvebase.
CVE-2013-5065
published 2013-11-28

CVE-2013-5065: NDProxy.sys in the kernel in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted application, as exploited…

PriorityP180high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
34.89%
98.2th percentile
NDProxy.sys in the kernel in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in November 2013.

Detection & IOCsextracted from sources · hover to see the quote

path\\.\NDProxy
otherIOCTL 0x8fff23cc
otherIOCTL 0x8fff23c8
filenameNDProxy.sys
bytes
\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x44\x8B\xC8\x8B\x80\x88\x00\x00\x00\x2D\x88\x00\x00\x00\x83\xB8\x84\x00\x00\x00\x04\x75\xEC\x8B\x90\xC8\x00\x00\x00\x89\x91\xC8\x00\x00\x00\xC3
bytes
\x90\x90\x90...\x3C\x00\x00\x00\x90\x90\x90\x90\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x44\x8B\xC8\x8B\x80\x88\x00\x00\x00\x2D\x88\x00\x00\x00\x83\xB8\x84\x00\x00\x00\x04\x75\xEC\x8B\x90\xC8\x00\x00\x00\x89\x91\xC8\x00\x00\x00\xC3
bytes
\x90\x90\x90...\x3C\x00\x00\x00\x90\x90\x90\x90\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x38\x8B\xC8\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x83\xB8\x94\x00\x00\x00\x04\x75\xEC\x8B\x90\xD8\x00\x00\x00\x89\x91\xD8\x00\x00\x00\xC3
  • Monitor for DeviceIoControl calls to the \.\ NDProxy device using IOCTL codes 0x8fff23cc or 0x8fff23c8 from user-mode processes, which is the trigger mechanism for this exploit.
  • Detect NtAllocateVirtualMemory calls mapping memory at or near address 0x00000001 (null page / low memory allocation) — a prerequisite for the NULL pointer dereference exploitation technique used by this exploit.
  • Alert on CreateFile handles opened against \\.\NDProxy from non-system, non-RAS processes, especially combined with subsequent DeviceIoControl calls.
  • Turla/Waterbug threat actor exploited CVE-2013-5065 via specially crafted emails with malicious attachments and compromised websites; correlate NDProxy exploitation with spear-phishing or watering-hole initial access indicators.
  • Absence of patch KB2914368 is a prerequisite for exploitation; use vulnerability scanning or WMIC to identify unpatched Windows XP SP3 / Server 2003 SP2 x86 systems.
  • ·The exploit only supports 32-bit (x86) targets; running against WOW64 or native 64-bit systems will fail. Detection logic should account for architecture.
  • ·The exploit input buffer uses a magic value at offset 20 (0x7030125 / 0x25010307) and a size field of 0x34; these specific values in a DeviceIoControl input buffer of length 0x54 are a reliable detection artifact.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.