CVE-2017-0263
published 2017-05-12CVE-2017-0263: The kernel-mode drivers in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows…
PriorityP181high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-08-10
Exploited in the wild
EPSS
10.03%
95.0th percentile
The kernel-mode drivers in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| microsoft_corporation | microsoft_windows | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1703 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0x55 0x8b 0xec 0x8b 0x45 0x0c 0x3d 0x9f 0x9f 0x00 0x00 (xxPayloadWindProc token-stealing shellcode)
- →Detect exploitation attempts by monitoring for NtUserSetWindowFNID syscall invocations on windows whose fnid is already set to FNID_FREED (0x8000), indicating the UAF condition being triggered in win32k. ↗
- →Detect the exploit's use of TrackPopupMenuEx combined with WH_CALLWNDPROC and SetWinEventHook (EVENT_SYSTEM_MENUPOPUPSTART) hooks in the same process, which is the trigger mechanism for the UAF. ↗
- →CVE-2017-0263 was deployed alongside CVE-2017-0262 (MS Office EPS type confusion) in the same spearphish document; detections for either exploit should trigger investigation for the paired exploit. ↗
- →The exploit targets a 30kb GAMEFISH backdoor as its payload; small (~30kb) executables dropped after win32k EoP exploitation should be investigated as potential GAMEFISH implants. ↗
- ·The EPROCESS offsets used in the shellcode (ActiveLink=0x0b8, Token=0x0f8, THREADINFO_ppi=0x0b8, CLS_lpszMenuName=0x050) are hardcoded for Windows 7 x86; these offsets differ across OS versions and must be adjusted for other targets. ↗
- ·The sources covering CVE-2017-0263 IOCs are primarily from the Sofacy/APT28 campaign context; the same vulnerability was later referenced in CVE-2018-8453 analysis, so IOC overlap between the two CVEs should be expected when triaging. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Win32k Privilege Escalation Vulnerability
cisa·2022-02-10·CVSS 7.8
CVE-2017-0263 [HIGH] CWE-416 Microsoft Win32k Privilege Escalation Vulnerability
Vulnerability: Microsoft Win32k Privilege Escalation Vulnerability
Affected: Microsoft Win32k
Microsoft Win32k contains a privilege escalation vulnerability due to the Windows kernel-mode driver failing to properly handle objects in memory.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-0263
Remediation Due Date: 2022-08-10
Microsoft
Win32k Elevation of Privilege Vulnerability
vendor_msrc·2017-05-09·CVSS 7.8
CVE-2017-0263 [HIGH] Win32k Elevation of Privilege Vulnerability
Win32k Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.
Windows Kernel-Mode Drivers: Windows Kernel-Mode D
GHSA
GHSA-4fm9-9m4x-vrqw: A kernel-mode driver in Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, Windows Vista, Windows 7 SP1, Windows Server 2008 SP2 a
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2017-8552 [HIGH] CWE-281 GHSA-4fm9-9m4x-vrqw: A kernel-mode driver in Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, Windows Vista, Windows 7 SP1, Windows Server 2008 SP2 a
A kernel-mode driver in Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, Windows Vista, Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, and Windows 8 allows an elevation of privilege when it fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability". This CVE is unique from CVE-2017-0263.
GHSA
GHSA-c264-rp8f-rf64: The kernel-mode drivers in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
ghsa_unreviewed·2022-05-13
CVE-2017-0263 [HIGH] CWE-416 GHSA-c264-rp8f-rf64: The kernel-mode drivers in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
The kernel-mode drivers in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."
VulnCheck
Microsoft Win32k Privilege Escalation Vulnerability
vulncheck·2017·CVSS 7.8
CVE-2017-0263 [HIGH] CWE-416 Microsoft Win32k Privilege Escalation Vulnerability
Microsoft Win32k Privilege Escalation Vulnerability
Microsoft Win32k contains a privilege escalation vulnerability due to the Windows kernel-mode driver failing to properly handle objects in memory.
Affected: Microsoft Win32k
Required Action: Apply updates per vendor instructions.
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2017-May; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html; https://securelist.com/a-slice-of-2017-sofacy-activity/83930/; https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf; https://marcoramilli.com/2019/12/05/apt28-attacks-evolution/; https://www.tenable.com/blog/daisy-chaining-h
No detection rules found.
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Tenable
Daisy Chaining: How Vulnerabilities Can Be Greater Than the Sum of Their Parts
blogs_tenable·2021-01-21
Daisy Chaining: How Vulnerabilities Can Be Greater Than the Sum of Their Parts
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
blogs_checkpoint·2020-10-02
CVE-2019-0859 Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
Research by: Itay Cohen, Eyal Itkin
In the past months, our Vulnerability and Malware Research tea
Securelist
Zero-day exploit (CVE-2018-8453) used in targeted attacks | Securelist
blogs_securelist·2018-10-10·CVSS 7.8
CVE-2018-8453 [HIGH] Zero-day exploit (CVE-2018-8453) used in targeted attacks | Securelist
Authors
- AMR
Yesterday, Microsoft published their security bulletin, which patches CVE-2018-8453, among others. It is a vulnerability in win32k.sys discovered by Kaspersky Lab in August. We reported this vulnerability to Microsoft on August 17, 2018. Microsoft confirmed the vulnerability and designated it CVE-2018-8453.
In August 2018 our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in Microsoft Windows operating system. Further analysis into this case led us to uncover a zero-day vulnerability in win32k.sys. The exploit was executed by the first stage of a malware installer to get necessary privileges for persistence on the victim’s system. The code of the exploit is of high quality and written with the aim of reliably exploiting as many di
Securelist
Zero-day exploit (CVE-2018-8453) used in targeted attacks
blogs_securelist·2018-10-10·CVSS 7.8
CVE-2018-8453 [HIGH] Zero-day exploit (CVE-2018-8453) used in targeted attacks
Authors
AMR
Yesterday, Microsoft published their security bulletin, which patches CVE-2018-8453 , among others. It is a vulnerability in win32k.sys discovered by Kaspersky Lab in August. We reported this vulnerability to Microsoft on August 17, 2018. Microsoft confirmed the vulnerability and designated it CVE-2018-8453.
In August 2018 our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in Microsoft Windows operating system. Further analysis into this case led us to uncover a zero-day vulnerability in win32k.sys. The exploit was executed by the first stage of a malware installer to get necessary privileges for persistence on the victim’s system. The code of the exploit is of high quality and written with the aim of reliably exploiting as many dif
Securelist
A Slice of 2017 Sofacy Activity
blogs_securelist·2018-02-20
A Slice of 2017 Sofacy Activity
Table of Contents
- Dealer’s Choice
- 0day Deployment(s)
- Light SPLM deployment in Central Asia and Consistent Infrastructure
- Heavy Zebrocy deployments
- SPLM deployment in Central Asia
- SPLM/CHOPSTICK/XAgent Modularity and Infrastructure
- Infrastructure Notes
- Conclusion
- Technical Appendix
Authors
- GReAT
Sofacy, also known as APT28, Fancy Bear, and Tsar Team, is a highly active and prolific APT. From their high volume 0day deployment to their innovative and broad malware set, Sofacy is one of the top groups that we monitor, report, and protect against. 2017 was not any different in this regard. Our private reports subscription customers receive a steady stream of YARA, IOC, and reports on Sofacy, our most reported APT for the year.
This high level of cyber-espionage activity
Securelist
A Slice of 2017 Sofacy Activity
blogs_securelist·2018-02-20
A Slice of 2017 Sofacy Activity
Table of Contents
Dealer’s Choice
0day Deployment(s)
Light SPLM deployment in Central Asia and Consistent Infrastructure
Heavy Zebrocy deployments
SPLM deployment in Central Asia
SPLM/CHOPSTICK/XAgent Modularity and Infrastructure
Infrastructure Notes
Conclusion
Technical Appendix
Related md5
Related domains
Authors
GReAT
Sofacy, also known as APT28, Fancy Bear, and Tsar Team, is a highly active and prolific APT . From their high volume 0day deployment to their innovative and broad malware set, Sofacy is one of the top groups that we monitor, report, and protect against. 2017 was not any different in this regard. Our private reports subscription customers receive a steady stream of YARA , IOC, and reports on Sofacy, our most reported APT for the year.
This high level of cybe
Securelist
APT Trends report Q2 2017
blogs_securelist·2017-08-08
APT Trends report Q2 2017
Table of Contents
- Introduction
- Russian-Speaking Actors
- English-Speaking Actors
- Korean-speaking Actors
- Middle Eastern Actors
- Chinese-Speaking Actors
- Best of the rest
- Predictions
- How to keep yourself protected
Authors
- GReAT
## Introduction
Since 2014, Kaspersky Lab’s Global Research and Analysis Team (GReAT) has been providing threat intelligence reports to a wide-range of customers worldwide, leading to the delivery of a full and dedicated private reporting service. Prior to the new service offering, GReAT published research online for the general public in an effort to help combat the ever-increasing threat from nation-state and other advanced actors. Since we began offering a threat intelligence service, all deep technical details on advanced campaigns are first
Securelist
APT Trends report Q2 2017
blogs_securelist·2017-08-08·CVSS 7.8
[HIGH] APT Trends report Q2 2017
Table of Contents
Introduction
Russian-Speaking Actors
English-Speaking Actors
Korean-speaking Actors
Middle Eastern Actors
Chinese-Speaking Actors
Best of the rest
Predictions
How to keep yourself protected
Authors
GReAT
## Introduction
Kaspersky’s Private Threat Intelligence Portal (TIP)
In Q1 of 2017 we published our first APT Trends report , highlighting our top research findings over the last few months. We will continue to publish quarterly reports as a representative snapshot of what has been offered in greater detail in our private reports in order to highlight significant events and findings we feel most users should be aware of. If you would like to learn more about our intelligence reports or request more information for a specific report, readers are encouraged to
Talos
Microsoft Patch Tuesday - May 2017
blogs_talos·2017-05-10·CVSS 7.5
CVE-2017-0290 [HIGH] Microsoft Patch Tuesday - May 2017
Today, Microsoft has release their monthly set of security updates designed to address vulnerabilities. This month's release addresses 56 vulnerabilities with 15 of them rated critical and 41 rated important. Impacted products include .NET, DirectX, Edge, Internet Explorer, Office, Sharepoint, and Windows.
In addition to the coverage Talos is providing for the normal monthly Microsoft security advisories, Talos is also providing coverage for CVE-2017-0290, the MsMpEng Malware Protection service vulnerability in Windows reported by Natalie Silvanovich and Tavis Ormandy of Google Project Zero. Snort rule SIDs for this specific vulnerability are 42820-42821.
## Vulnerabilities Rated Critical The following vulnerabilities are rated critical by Microsoft:
- CVE-2017-0221
- CVE-2017-0222
- CV
Zscaler
Zscaler found Multiple Security Vulnerabilities | 05-09-2017
blogs_zscaler·CVSS 7.8
[HIGH] Zscaler found Multiple Security Vulnerabilities | 05-09-2017
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Threat Intel
APT28 (APT28, IRON TWILIGHT, SNAKEMACKEREL)
threat_intel
APT28 (APT28, IRON TWILIGHT, SNAKEMACKEREL)
# Threat Actor Profile: APT28
ATT&CK ID: G0007
Also known as: APT28, IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Forest Blizzard, FROZENLAKE, GruesomeLarch
Suspected origin: Russia
## Overview
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-412
arXiv
Identification of Attack Paths Using Kill Chain and Attack Graphs
arxiv_fulltext·2022-06-21
Identification of Attack Paths Using Kill Chain and Attack Graphs
Identification of Attack Paths \ Kill Chain and Attack Graphs
Luk\'as Sadlek12, Pavel Celeda12, Daniel Tovarn\'ak1
2Faculty of Informatics, Masaryk University, Brno, Czech Republic
1Institute of Computer Science, Masaryk University, Brno, Czech Republic
[email protected], [email protected], [email protected]
## Abstract
The ever-evolving capabilities of cyber attackers force security administrators to focus on the early identification of emerging threats. Targeted cyber attacks usually consist of several phases, from initial reconnaissance of the network environment to final impact on objectives. This paper investigates the identification of multi-step cyber threat scenarios using kill chain and attack graphs.
Kill chain and attack graphs are threat modeling concepts that enable
http://www.securityfocus.com/bid/98258http://www.securitytracker.com/id/1038449https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0263https://www.exploit-db.com/exploits/44478/https://xiaodaozhi.com/exploit/117.htmlhttp://www.securityfocus.com/bid/98258http://www.securitytracker.com/id/1038449https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0263https://www.exploit-db.com/exploits/44478/https://xiaodaozhi.com/exploit/117.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0263
2017-05-12
Published
2022-02-10
Added to CISA KEV
Exploited in the wild