cbcvebase.
CVE-2019-0797
published 2019-04-09

CVE-2019-0797: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of…

PriorityP279high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
1.89%
77.0th percentile
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0808.

Affected

26 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server_2008
microsoftwindows_server_2012
msrcwindows_10
msrcwindows_10_version_1607
msrcwindows_10_version_1703
msrcwindows_10_version_1709
msrcwindows_10_version_1803
msrcwindows_10_version_1809
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016
msrcwindows_server_2019
msrcwindows_server_version_1709

Detection & IOCsextracted from sources · hover to see the quote

filenameDarkpulsar-1.1.0.9.xml
registryHKLM\Software\Microsoft\Windows\CurrentVersion\Telephony\Providers
port445
processlsass.exe
  • Look for DarkPulsar's backdoor DLL loaded as a Security Support Provider (SSP/AP) inside lsass.exe via Secur32.AddSecurityPackage; the implant exports functions matching TSPI and SSPI interface names but contains malicious code.
  • Monitor for hooks placed on SpAcceptLsaModeContext within msv1_0.dll, kerberos.dll, schannel.dll, wdigest.dll, and lsasrv.dll inside lsass.exe; DarkPulsar hooks these to intercept and bypass authentication.
  • Detect EDFStagedUpload activity by monitoring for a persistent connection on port 445 combined with a pair of bound sockets appearing in lsass.exe, followed by a dramatic increase in network activity when PeddleCheap payload is deployed.
  • DarkPulsar embeds its C2 traffic inside standard system protocols (NTLM, Kerberos, TLS/SSL, Digest, Negotiate); network activity will appear attributed to the System process using system-reserved ports, not a standalone malicious process.
  • ·DarkPulsar supports SMB, NBT, SSL, and RDP as delivery protocols; the protocol and port number must be specified per-command, meaning detections should cover all four protocol options.
  • ·Both 32-bit and 64-bit versions of the DarkPulsar backdoor exist; detections and forensic checks must cover both architectures.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.