cbcvebase.
CVE-2017-0263
published 2017-05-12

CVE-2017-0263: The kernel-mode drivers in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows…

PriorityP181high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-08-10
Exploited in the wild
EPSS
10.03%
95.0th percentile
The kernel-mode drivers in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."

Affected

15 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012
microsoft_corporationmicrosoft_windows
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_10_version_1607
msrcwindows_10_version_1703
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016

Detection & IOCsextracted from sources · hover to see the quote

processNtUserSetWindowFNID
otherFNID_SCROLLBAR=0x029A
otherFNID_FREED=0x8000
othertagWND+0x02a fnid offset
otherWM_LBUTTONDOWN trigger on parent window to invoke DestroyWindow UAF chain
bytes
0x55 0x8b 0xec 0x8b 0x45 0x0c 0x3d 0x9f 0x9f 0x00 0x00 (xxPayloadWindProc token-stealing shellcode)
  • Detect exploitation attempts by monitoring for NtUserSetWindowFNID syscall invocations on windows whose fnid is already set to FNID_FREED (0x8000), indicating the UAF condition being triggered in win32k.
  • Detect the exploit's use of TrackPopupMenuEx combined with WH_CALLWNDPROC and SetWinEventHook (EVENT_SYSTEM_MENUPOPUPSTART) hooks in the same process, which is the trigger mechanism for the UAF.
  • CVE-2017-0263 was deployed alongside CVE-2017-0262 (MS Office EPS type confusion) in the same spearphish document; detections for either exploit should trigger investigation for the paired exploit.
  • The exploit targets a 30kb GAMEFISH backdoor as its payload; small (~30kb) executables dropped after win32k EoP exploitation should be investigated as potential GAMEFISH implants.
  • ·The EPROCESS offsets used in the shellcode (ActiveLink=0x0b8, Token=0x0f8, THREADINFO_ppi=0x0b8, CLS_lpszMenuName=0x050) are hardcoded for Windows 7 x86; these offsets differ across OS versions and must be adjusted for other targets.
  • ·The sources covering CVE-2017-0263 IOCs are primarily from the Sofacy/APT28 campaign context; the same vulnerability was later referenced in CVE-2018-8453 analysis, so IOC overlap between the two CVEs should be expected when triaging.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.