cbcvebase.
CVE-2023-29336
published 2023-05-09

CVE-2023-29336: Win32k Elevation of Privilege Vulnerability Win32k Elevation of Privilege Vulnerability

high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-05-30
Exploited in the wild
EPSS
40.92%
98.5th percentile
Win32k Elevation of Privilege Vulnerability Win32k Elevation of Privilege Vulnerability

Affected

17 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10_version_1507>= 10.0.10240.0 < 10.0.10240.1992610.0.10240.19926
microsoftwindows_10_version_1607>= 10.0.14393.0 < 10.0.14393.592110.0.14393.5921
microsoftwindows_server_2008_r2_service_pack_1>= 6.1.7601.0 < 6.1.7601.265196.1.7601.26519
microsoftwindows_server_2008_service_pack_2>= 6.0.6003.0 < 6.0.6003.220706.0.6003.22070
microsoftwindows_server_2012>= 6.2.9200.0 < 6.2.9200.242666.2.9200.24266
microsoftwindows_server_2012_r2>= 6.3.9600.0 < 6.3.9600.209696.3.9600.20969
microsoftwindows_server_2016>= 10.0.14393.0 < 10.0.14393.592110.0.14393.5921
msrcwindows_10_for_32-bit_systems
msrcwindows_10_for_x64-based_systems
msrcwindows_10_version_1607_for_32-bit_systems
msrcwindows_10_version_1607_for_x64-based_systems
msrcwindows_server_2008_for_32-bit_systems_service_pack_2
msrcwindows_server_2008_for_x64-based_systems_service_pack_2
msrcwindows_server_2008_r2_for_x64-based_systems_service_pack_1
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016

Detection & IOCsextracted from sources · hover to see the quote

hash9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
hash2915b3f8b703eb744fc54c81f4a9c67f
hash5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1
hash3e10a74a7613d1cae4b9749d7ec93515
hashe4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
hash93fefc3e88ffb78abb36365fa5cf857c
hash59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa
hashdf11b3105df8d7c70e7b501e210e3cc3
hashe12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
hasha087b2e6ec57b08c0d0750c60f96a74c
bytes
\x65\x48\x8B\x04\x25\x30\x00\x00\x00\x90\x90\x90\x90\x90\x90\x90\x90\x90\xc3
  • CVE-2023-29336 is a Win32k kernel-mode driver local elevation of privilege vulnerability; monitor for low-privileged processes spawning SYSTEM-level children or acquiring SYSTEM tokens via Win32k syscalls (NtUserEnableMenuItem, NtUserSetClassLongPtr, NtUserCreateAcceleratorTable, NtUserConsoleControl from win32u.dll).
  • The exploit abuses NtUserEnableMenuItem (win32u.dll) to trigger the vulnerability; alert on low-integrity processes resolving and calling NtUserEnableMenuItem, NtUserSetClassLongPtr, NtUserCreateAcceleratorTable, and NtUserConsoleControl from win32u.dll in rapid succession.
  • The exploit uses VirtualAlloc with PAGE_EXECUTE_READWRITE to execute a GS-register-reading shellcode stub; detect VirtualAlloc(PAGE_EXECUTE_READWRITE) followed by execution from that region in user-mode processes as a behavioral indicator.
  • The exploit reads the USER32.DLL handle table at a hardcoded offset (0xbd688) to resolve kernel object addresses; this offset is specific to Windows Server 2016 builds targeted by this PoC and can be used as a signature in memory forensics.
  • The exploit uses EPROCESS offsets specific to the targeted Windows build (UniqueProcessId +0x440, ActiveProcessLinks +0x448, Token +0x4b8); these constants in memory or in a loaded module can be used for YARA/memory scanning.
  • The attack vector is local; post-exploitation tool Mimikatz is cited as a follow-on payload after SYSTEM privileges are obtained via this EoP. Monitor for Mimikatz execution following any suspicious privilege escalation event.
  • ·The exploit PoC targets Windows Server 2016 specifically; the hardcoded USER32.DLL offset (0xbd688) and EPROCESS offsets are build-specific and may not apply to other Windows versions without modification.
  • ·The attack vector for CVE-2023-29336 is local, meaning an attacker must already have local access (initial foothold) before exploiting this EoP; it is not remotely exploitable on its own.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvelistv57.8HIGH
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.