CVE-2017-0101
published 2017-03-17CVE-2017-0101: The kernel-mode drivers in Transaction Manager in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2; Windows 7 SP1; Windows 8.1, Windows Server 2012…
PriorityP186high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-05
Exploited in the wild
EPSS
57.48%
99.0th percentile
The kernel-mode drivers in Transaction Manager in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2; Windows 7 SP1; Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1; Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allow local users to gain privileges via a crafted application, aka "Windows Elevation of Privilege Vulnerability."
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft_corporation | windows | — | — |
| msrc | windows_7_for_32-bit_systems_service_pack_1 | — | — |
| msrc | windows_server_2008_for_32-bit_systems_service_pack_2 | — | — |
| msrc | windows_server_2008_for_itanium-based_systems_service_pack_2 | — | — |
| msrc | windows_server_2008_for_x64-based_systems_service_pack_2 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit registers window classes with the string 'KCUF' as a class name marker — presence of this string in window class registration activity may indicate exploit execution. ↗
- →Exploit calls the undocumented GDI32 function PolyPatBlt to trigger the kernel vulnerability — monitoring for calls to PolyPatBlt from non-GDI processes or unusual user-mode callers is a detection signal. ↗
- →Exploit creates an oversized bitmap (0x36D x 0x12AE8F) via CreateBitmap to manipulate kernel pool layout — anomalously large bitmap creation can be a detection indicator. ↗
- →Exploit targets Windows 7 x86 kernel and manipulates EPROCESS token pointer at offset 0x0f8 to steal SYSTEM token — kernel integrity monitoring for token pointer modifications in EPROCESS structures should alert on this. ↗
- →Exploit uses EnumDeviceDrivers to locate ntoskrnl base address as part of KASLR bypass — user-mode calls to EnumDeviceDrivers (psapi) from non-administrative, non-debugging processes are suspicious. ↗
- →Exploit spawns a new cmd.exe console with elevated SYSTEM privileges after token swap — a cmd.exe process spawned with CREATE_NEW_CONSOLE from a non-privileged parent is a post-exploitation indicator. ↗
- →Exploit uses palette heap spray (0x64 palette entries) and checks for a specific pool alignment value (0x00000E54 masked with 0xFFF) to locate the controlled kernel pool page — this specific palette count and alignment check is exploit-specific. ↗
- ·The exploit PoC targets Windows 7 x86 specifically; EPROCESS offsets (UniqueProcessId: 0x0b4, ActiveProcessLinks: 0x0b8, Token: 0x0f8) are hardcoded for this architecture and will differ on other Windows versions or x64 builds. ↗
- ·The exploit uses hardcoded GDI object table offsets (iExtPaleHmgr=809, iExtcEntries=814, iExtPalColor=828) specific to the targeted Windows 7 x86 kernel build; these will not be valid on other versions. ↗
- ·The exploit relies on a heap spray using up to 2000 bitmaps and 3000 temporary objects (maxTimes/tmpTimes); the reliability of pool grooming is environment-dependent and may fail silently. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc6.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5cr3-r8pg-5j63: The kernel-mode drivers in Transaction Manager in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14
CVE-2017-0101 [HIGH] CWE-119 GHSA-5cr3-r8pg-5j63: The kernel-mode drivers in Transaction Manager in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2; Windows 7 SP1; Windows 8
The kernel-mode drivers in Transaction Manager in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2; Windows 7 SP1; Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1; Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allow local users to gain privileges via a crafted application, aka "Windows Elevation of Privilege Vulnerability."
VulnCheck
Microsoft Windows Transaction Manager Privilege Escalation Vulnerability
vulncheck·2017·CVSS 7.8
CVE-2017-0101 [HIGH] CWE-119 Microsoft Windows Transaction Manager Privilege Escalation Vulnerability
Microsoft Windows Transaction Manager Privilege Escalation Vulnerability
A privilege escalation vulnerability exists when the Windows Transaction Manager improperly handles objects in memory.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.tenable.com/blog/contileaks-chats-reveal-over-30-vulnerabilities-used-by-conti-ransomware-affiliates; https://cybersecurityworks.com/howdymanage/uploads/file/RansomwareUpdate%20Report%202022%20Q1.pdf; https://www.securin.io/articles/all-about-conti-ransomware/
Exploit PoC: https://vulncheck.com/xdb/d56031625002
Remediation Due: 2022-04-05
CISA
Microsoft Windows Transaction Manager Privilege Escalation Vulnerability
cisa·2022-03-15·CVSS 7.8
CVE-2017-0101 [HIGH] CWE-119 Microsoft Windows Transaction Manager Privilege Escalation Vulnerability
Vulnerability: Microsoft Windows Transaction Manager Privilege Escalation Vulnerability
Affected: Microsoft Windows
A privilege escalation vulnerability exists when the Windows Transaction Manager improperly handles objects in memory.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-0101
Remediation Due Date: 2022-04-05
Microsoft
Windows Transaction Manager Elevation of Privilege Vulnerability
vendor_msrc·2017-03-14·CVSS 6.3
CVE-2017-0101 [HIGH] Windows Transaction Manager Elevation of Privilege Vulnerability
Windows Transaction Manager Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when the Windows Transaction Manager improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context.
In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system.
The security update addresses the vulnerability by correcting how the Transaction Manager handles objects in memory.
Microsoft Windows: Microsoft Windows
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Elevation of Privilege
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:N/A;Older Software Rele
No detection rules found.
http://www.securityfocus.com/bid/96625http://www.securitytracker.com/id/1038013https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0101https://www.exploit-db.com/exploits/44479/http://www.securityfocus.com/bid/96625http://www.securitytracker.com/id/1038013https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0101https://www.exploit-db.com/exploits/44479/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0101
2017-03-17
Published
2022-03-15
Added to CISA KEV
Exploited in the wild