Researchers released a proof-of-concept (PoC) exploit for an actively exploited Windows local elevation of privilege vulnerability patched as part of the May 2023 patch on Tuesday.

The Win32k subsystem (Win32k.sys kernel driver) handles the operating system’s window manager, screen output, input, and graphics, and acts as an interface between various types of input hardware .

As such, exploiting these types of vulnerabilities tends to provide elevated privileges or code execution.

Vulnerability is tracked as CVE-2023-29336 and was originally discovered by cybersecurity company Avast. It received a CVSS v3.1 severity rating of 7.8 because it allows low-privileged users to gain Windows SYSTEM privileges, the highest user-mode privileges in Windows.

Avast says it discovered the vulnerability after it was actively exploited as a zero-day attack. However, the company declined to share any further details with BleepingComputer, so it’s unclear how it was abused.

To raise awareness of the actively exploited flaw and the need to apply Windows security updates, CISA also posted an alert and added it to its “Known Exploited Vulnerabilities” catalog.

Exactly one month after the patch was made available, security analysts from cybersecurity firm Web3 Numen have now released full technical details about the CVE-2023-29336 flaw and PoC exploit for Windows Server 2016.

Rediscover the flaw

Although the vulnerability is being actively exploited, Microsoft says it only affects older versions of Windows, including older versions of Windows 10, Windows Server, and Windows 8, and does not affect Windows 11.

“Although this vulnerability appears to be non-exploitable on the Win11 system version, it poses a significant risk for earlier systems,” Numen explains in their report.

“The exploitation of these vulnerabilities has a notorious track record, and in this in-depth analysis, we look at the methods employed by threat actors to exploit this specific vulnerability, taking into account evolving mitigation measures. “

While analyzing the vulnerability on Windows Server 2016, Numen researchers discovered that Win32k only locks the window object but fails to lock the nested menu object.

This omission, which researchers say results from copying obsolete code into newer versions of Win32k, leaves menu objects vulnerable to tampering or hijacking if attackers change the specific address in system memory.

Taking control of the menu object means gaining the same level of access as the program that launched it, but even if the first step does not grant attackers access to administrator-level privileges, it is a effective springboard to achieve this through the following steps.

Researchers experimented with various methods of manipulating memory configuration, exploit triggers, and memory read/write system functions and eventually developed a working PoC that would produce reliable SYSTEM privilege escalation.

More technical details on this process are available in the Numen report, and a demonstration of the PoC is shown below.

The general conclusion is that exploiting CVE-2023-29336 is not particularly difficult.

“Besides diligently exploring different methods to take control of the first write operation using data reoccupied from freed memory, there is generally no need for new exploitation techniques,” it reads. in the report.

“This type of vulnerability relies heavily on desktop heap management address leaks […]and if this issue is not addressed thoroughly, it remains a security risk for older systems.”

Numen suggests that system administrators should be on the lookout for anomalous offset reads and writes in memory or related to window objects, which could indicate active exploitation of CVE-2023-29336 for local elevation of privilege.

It is recommended that all Windows users apply the May 2023 Hotfixwhich aside from the particular flaw, fixed two other zero-day vulnerabilities that hackers actively exploited.