cbcvebase.
CVE-2019-1184
published 2019-08-14

CVE-2019-1184: An elevation of privilege vulnerability exists when Windows Core Shell COM Server Registrar improperly handles COM calls. An attacker who successfully…

PriorityP358medium6.7CVSS 3.1
AVLACHPRLUIRSUCHIHAH
EXPLOIT
EPSS
70.23%
99.3th percentile
An elevation of privilege vulnerability exists when Windows Core Shell COM Server Registrar improperly handles COM calls. An attacker who successfully exploited this vulnerability could potentially set certain items to run at a higher level and thereby elevate permissions. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting unprotected COM calls.

Affected

23 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10_version_1803>= 10.0.0 < publicationpublication
microsoftwindows_10_version_1809>= 10.0.0 < publicationpublication
microsoftwindows_10_version_1903_for_32-bit_systems>= 10.0.0 < publicationpublication
microsoftwindows_10_version_1903_for_arm64-based_systems>= 10.0.0 < publicationpublication
microsoftwindows_10_version_1903_for_x64-based_systems>= 10.0.0 < publicationpublication
microsoftwindows_server_2016
microsoftwindows_server_2016
microsoftwindows_server_2019>= 10.0.0 < publicationpublication
msrcwindows_10_version_1803_for_32-bit_systems
msrcwindows_10_version_1803_for_arm64-based_systems
msrcwindows_10_version_1803_for_x64-based_systems
msrcwindows_10_version_1809_for_32-bit_systems
msrcwindows_10_version_1809_for_arm64-based_systems
msrcwindows_10_version_1809_for_x64-based_systems
msrcwindows_10_version_1903_for_32-bit_systems
msrcwindows_10_version_1903_for_arm64-based_systems
msrcwindows_10_version_1903_for_x64-based_systems
msrcwindows_server_2019
msrcwindows_server_version_1803
msrcwindows_server_version_1903

Detection & IOCsextracted from sources · hover to see the quote

registryHKCR\CLSID\{54E14197-88B0-442F-B9A3-86837061E2FB}
otherCLSID: 54E14197-88B0-442F-B9A3-86837061E2FB (CoreShellCOMServerRegistrar)
otherIID: 27EB33A5-77F9-4AFE-AE05-6FDBBE720EE7 (ICoreShellComServerRegistrar)
path%SystemRoot%\system32\CoreShellExtFramework.dll
  • Monitor for low-integrity processes activating the CoreShellCOMServerRegistrar COM class (CLSID 54E14197-88B0-442F-B9A3-86837061E2FB) via CLSCTX_LOCAL_SERVER, which should only be done by sihost.exe.
  • Detect calls to OpenProcess and DuplicateHandle COM methods on CoreShellCOMServerRegistrar from low-integrity processes; these are the primary exploit primitives used to escalate from low to medium integrity.
  • Detect VirtualAllocEx with PAGE_EXECUTE_READWRITE followed by WriteProcessMemory and CreateRemoteThread targeting sihost.exe from a process at low integrity — this is the shellcode injection pattern used by the public exploit.
  • ·The August 2019 patch loosened the DACL (replacing capability SIDs with ALL APPLICATION PACKAGES) and added manual capability checks in code; the October 2019 patch reversed this and instead tightened the LaunchPermission SACL from Low (LW) to Medium integrity label. Detection logic should account for both patch states.
  • ·The exploit requires an interactive user session because sihost.exe (the COM server) is only launched when a user logs on interactively; the attack surface does not exist on headless/server sessions without an interactive logon.

CVSS provenance

nvdv3.16.7MEDIUMCVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vendor_msrc6.7MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.