Information security experts have published a PoC exploit for a privilege escalation vulnerability in the Win32k driver that was fixed in May.
Let me remind you that this bug received the identifier CVE-2023-29336 (7.8 points on the CVSS scale) and was discovered by Avast researchers. CVE-2023-29336 has been reported to affect systems running Windows 10 and Windows Server 2008, 2012, and 2016.
Back in May, Avast specialists warned that they had already recorded attacks on CVE-2023-29336, but nothing concrete was reported about them.
We also wrote that Exploits for Vulnerabilities in Three Popular WordPress Plugins Appeared on the Network, and also that Thousands of GitHub Repositories Spread Malware That Is Disguised as Exploits.
Also the information security specialists pointed out that A PoC Exploit Is Already Available for a Critical RCE Problem in Fortinet Products.
In turn, the US Cybersecurity and Infrastructure Security Agency (CISA) added this issue to its catalog of known exploitable vulnerabilities (KEV), and urged organizations to install patches by May 30, 2023.
Now, a month after the release of the patch, analysts from Numen have published full technical information about the vulnerability, as well as a PoC exploit for Windows Server 2016.
Experts say that although the vulnerability is not suitable for attacks on Windows 11, it poses a significant risk to older versions of the OS, including older versions of Windows 10, Windows Server and Windows 8.
In their report, the researchers explain that they experimented with various memory manipulation techniques, exploit triggers, and memory read/write functions, which ultimately helped them create a working exploit that provides reliable privilege escalation to the SYSTEM level.
A demonstration of the exploit is shown in the video below.
Overall, the researchers concluded that exploiting CVE-2023-29336 does not appear to be particularly difficult and is likely to remain a security risk to older systems.
Numen engineers advise system administrators to watch for anomalous offset read/write operations or related window objects, which may indicate active exploitation of CVE-2023-29336 for local privilege escalation.