cbcvebase.
CVE-2019-0543
published 2019-01-08

CVE-2019-0543: An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka "Microsoft Windows Elevation of Privilege…

PriorityP184high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-05
Exploited in the wild
EPSS
4.72%
90.7th percentile
An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka "Microsoft Windows Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

Affected

19 ranges
VendorProductVersion rangeFixed in
linuxlinux_kernel>= 0 < 4.4.0-184.2144.4.0-184.214
microsoftwindows_server_2008
microsoftwindows_server_2012
msrcwindows_10
msrcwindows_10_version_1607
msrcwindows_10_version_1703
msrcwindows_10_version_1709
msrcwindows_10_version_1803
msrcwindows_10_version_1809
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016
msrcwindows_server_2019
msrcwindows_server_version_1709

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46156.zip
  • Monitor for processes spawned in Session 0 by non-SYSTEM interactive users — the exploit abuses NTLM loopback authentication via AcquireCredentialsHandle with a SEC_WINNT_AUTH_IDENTITY_EX structure (username/domain set, password omitted) to obtain a network token with Session ID 0, then uses the COM activator to create a child process under that token.
  • Detect calls to AcquireCredentialsHandle where pAuthData supplies a SEC_WINNT_AUTH_IDENTITY_EX structure with username and domain fields populated but no password — this is the specific trigger that bypasses normal loopback short-circuit and returns a Session 0 network token.
  • Alert on COM activator-spawned child processes whose token Session ID is 0 while the parent process is running in an interactive (non-zero) session — this is the observable post-exploitation behaviour of the PoC.
  • Flag use of NtApiDotNet (NuGet package) in compiled C# tooling on endpoints, particularly when combined with SSPI/NTLM loopback authentication activity — the PoC explicitly depends on this library.
  • In AppContainer / Edge sandbox environments, watch for Enterprise Authentication capability usage combined with NTLM loopback — the exploit may return a full (non-AC) token instead of the expected AppContainer token, enabling privilege escalation.
  • ·The PoC was only validated on Windows 10 versions 1803 and 1809; behaviour on earlier Windows versions was not confirmed by the researcher.
  • ·Normal loopback NTLM authentication (no pAuthData buffer, or SEC_WINNT_AUTH_IDENTITY_EX with empty username/domain) does NOT trigger the vulnerability — only the specific case of username+domain set with no password does.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
osv6.5MEDIUM
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.