cbcvebase.
CVE-2014-4113
published 2014-10-15

CVE-2014-4113: win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8…

PriorityP184high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-25
Exploited in the wild
EPSS
87.04%
99.7th percentile
win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, as exploited in the wild in October 2014, aka "Win32k.sys Elevation of Privilege Vulnerability."

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

filenamewin32k.sys
pathC:\Windows\Temp:1
filenamerdpinst.exe
registryHKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SetupExecute
registryHKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
registry\Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39666.zip
commandcmd.exe /c reg.exe
bytes
\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60
  • Detect NTFS Alternate Data Stream (ADS) creation at C:\Windows\Temp:1, used to hide the Native Application binary from standard file browsers.
  • Monitor for modifications to HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SetupExecute and BootExecute registry values, which the malware alters to persist a Native Application across reboots.
  • Alert on creation of rdpinst.exe and its registration under \Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce as a persistence indicator for the final payload.
  • Detect use of low-level syscall stubs INT 2Eh and CALL ntdll!KiFastSystemCall in user-mode processes, used to bypass AV/sandbox user-space hooks.
  • Detect removal of filter driver registry entries prior to reboot, a technique used to disable AV drivers before the Native Application executes during boot.
  • Detect TrackPopupMenu-based win32k.sys exploitation pattern: a WH_CALLWNDPROC hook combined with TrackPopupMenu calls, as used in the CVE-2014-4113 PoC exploit targeting Windows 8.0–8.1 x64.
  • Flag processes spawning cmd.exe /c reg.exe for registry modification, as the malware uses this indirection to distance itself from direct malicious registry writes.
  • ·The malware contains extensive anti-sandbox and anti-AV checks; it will prematurely terminate and re-encrypt its .data section if it detects a sandbox, VM, or specific AV products, meaning sandbox-only analysis will miss full functionality.
  • ·The malware checks for two hard-coded MAC addresses and terminates if the host matches either, limiting detonation on certain analysis machines.
  • ·The exploit for CVE-2014-4113 is embedded as a 64-bit executable inside a nested encrypted/compressed blob (Matryoshka structure); static extraction requires RC4 decryption with key 'dqrChZonUF' followed by aPLib decompression.
  • ·Swapping the shellcode in the EDB-37064 PoC for a bind or reverse shell will cause a BSOD; the embedded shellcode only safely executes cmd.exe.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.