CVE-2023-29336
Win32k — use-after-free from unlocked nested menu object allows EoP
Exploited in the Wild
This vulnerability was exploited in the wild before or shortly after patching.
Summary
| Field | Value |
|---|---|
| Driver | win32kfull.sys |
| Vulnerability Class | Object Management |
| Vulnerable Build | 10.0.22621.1555 (KB5025239) |
| Fixed Build | 10.0.22621.1635 (KB5026372) |
| Exploited ITW | Yes |
Affected Functions
xxxEnableMenuItemxxxMNDestroyHandler
Root Cause
AutoPiff categorizes this as object_management with detection rules:
ob_reference_balance_fix
Exploitation
Patch Analysis
Detection
YARA Rule
rule CVE_2023_29336_Win32k {
meta:
description = "Detects vulnerable version of win32kfull.sys (pre-patch)"
cve = "CVE-2023-29336"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "win32kfull.sys" wide ascii nocase
$vuln_build = "10.0.22621.1555" wide ascii
$enable_menu = "xxxEnableMenuItem" ascii
$destroy_handler = "xxxMNDestroyHandler" ascii
condition:
$mz at 0 and $driver_name and $vuln_build and any of ($enable_menu, $destroy_handler)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
Microsoft-Windows-Win32k |
Menu object creation and destruction events | Monitors win32k menu operations for the use-after-free trigger involving nested menu objects |
Microsoft-Windows-Kernel-Audit |
Token modification (Event ID 4672) | Captures privilege escalation when the attacker leverages the freed menu object to gain arbitrary write |
Microsoft-Windows-Security-Auditing |
Special privileges assigned (Event ID 4672) | Alerts on a low-privilege process acquiring SYSTEM privileges after exploiting the UAF |
Microsoft-Windows-Kernel-Process |
Process token change | Detects the moment the exploiting process replaces its token with the SYSTEM token |
Behavioral Indicators
- A process creates deeply nested menu structures using
CreateMenu/CreatePopupMenuandInsertMenuItem, then triggersEnableMenuItemon a nested item while simultaneously destroying the parent menu via a callback, causing a use-after-free inxxxMNDestroyHandler - Win32k desktop heap spray using
SetMenuItemInfowith controlled data to reclaim the freed menu object allocation with attacker-controlled contents, turning the UAF into a read/write primitive - Anomalous window message processing patterns where a user-mode callback (e.g.,
WH_CALLWNDPROChook) destroys or modifies menu objects during a reentrant win32k call, creating the dangling pointer condition - Token replacement in the
EPROCESSstructure observed as a standard-user process suddenly holding SYSTEM-level privileges without going through UAC or a legitimate elevation path - Rapid creation and destruction of menu objects in a tight loop from a process that does not have a visible GUI, consistent with heap grooming for exploitation rather than normal UI activity