cbcvebase.
CVE-2017-0101
published 2017-03-17

CVE-2017-0101: The kernel-mode drivers in Transaction Manager in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2; Windows 7 SP1; Windows 8.1, Windows Server 2012…

PriorityP186high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-05
Exploited in the wild
EPSS
57.48%
99.0th percentile
The kernel-mode drivers in Transaction Manager in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2; Windows 7 SP1; Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1; Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allow local users to gain privileges via a crafted application, aka "Windows Elevation of Privilege Vulnerability."

Affected

7 ranges
VendorProductVersion rangeFixed in
microsoft_corporationwindows
msrcwindows_7_for_32-bit_systems_service_pack_1
msrcwindows_server_2008_for_32-bit_systems_service_pack_2
msrcwindows_server_2008_for_itanium-based_systems_service_pack_2
msrcwindows_server_2008_for_x64-based_systems_service_pack_2
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

commandcmd.exe
processntkrnlpa.exe
  • Exploit registers window classes with the string 'KCUF' as a class name marker — presence of this string in window class registration activity may indicate exploit execution.
  • Exploit calls the undocumented GDI32 function PolyPatBlt to trigger the kernel vulnerability — monitoring for calls to PolyPatBlt from non-GDI processes or unusual user-mode callers is a detection signal.
  • Exploit creates an oversized bitmap (0x36D x 0x12AE8F) via CreateBitmap to manipulate kernel pool layout — anomalously large bitmap creation can be a detection indicator.
  • Exploit targets Windows 7 x86 kernel and manipulates EPROCESS token pointer at offset 0x0f8 to steal SYSTEM token — kernel integrity monitoring for token pointer modifications in EPROCESS structures should alert on this.
  • Exploit uses EnumDeviceDrivers to locate ntoskrnl base address as part of KASLR bypass — user-mode calls to EnumDeviceDrivers (psapi) from non-administrative, non-debugging processes are suspicious.
  • Exploit spawns a new cmd.exe console with elevated SYSTEM privileges after token swap — a cmd.exe process spawned with CREATE_NEW_CONSOLE from a non-privileged parent is a post-exploitation indicator.
  • Exploit uses palette heap spray (0x64 palette entries) and checks for a specific pool alignment value (0x00000E54 masked with 0xFFF) to locate the controlled kernel pool page — this specific palette count and alignment check is exploit-specific.
  • ·The exploit PoC targets Windows 7 x86 specifically; EPROCESS offsets (UniqueProcessId: 0x0b4, ActiveProcessLinks: 0x0b8, Token: 0x0f8) are hardcoded for this architecture and will differ on other Windows versions or x64 builds.
  • ·The exploit uses hardcoded GDI object table offsets (iExtPaleHmgr=809, iExtcEntries=814, iExtPalColor=828) specific to the targeted Windows 7 x86 kernel build; these will not be valid on other versions.
  • ·The exploit relies on a heap spray using up to 2000 bitmaps and 3000 temporary objects (maxTimes/tmpTimes); the reliability of pool grooming is environment-dependent and may fail silently.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc6.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.