Vulnerability Details : CVE-2013-3660
Public exploit exists!
The EPATHOBJ::pprFlattenRec function in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, and Windows Server 2012 does not properly initialize a pointer for the next object in a certain list, which allows local users to obtain write access to the PATHRECORD chain, and consequently gain privileges, by triggering excessive consumption of paged memory and then making many FlattenPath function calls, aka "Win32k Read AV Vulnerability."
Products affected by CVE-2013-3660
- cpe:2.3:o:microsoft:windows_xp:-:sp3:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_xp:-:sp2:*:*:professional:*:x64:*
- cpe:2.3:o:microsoft:windows_server_2003:-:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_8:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_rt:-:*:*:*:*:*:*:*
CVE-2013-3660 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Microsoft Win32k Privilege Escalation Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
The EPATHOBJ::pprFlattenRec function in win32k.sys in the kernel-mode drivers in Microsoft does not properly initialize a pointer for the next object in a certain list, which allows local users to gain privileges.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2013-3660
Added on
2022-03-28
Action due date
2022-04-18
Exploit prediction scoring system (EPSS) score for CVE-2013-3660
74.94%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 98 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2013-3660
-
Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation
Disclosure Date: 2013-05-15First seen: 2020-04-26exploit/windows/local/ppr_flatten_recThis module exploits a vulnerability on EPATHOBJ::pprFlattenRec due to the usage of uninitialized data which allows to corrupt memory. At the moment, the module has been tested successfully on Windows XP SP3, Windows 2003 SP1, and Windows 7 SP1. Author
CVSS scores for CVE-2013-3660
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.9
|
MEDIUM | AV:L/AC:M/Au:N/C:C/I:C/A:C |
3.4
|
10.0
|
NIST | |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-02-07 |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST | 2024-07-09 |
CWE ids for CVE-2013-3660
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2013-3660
-
http://www.reddit.com/r/netsec/comments/1eqh66/0day_windows_kernel_epathobj_vulnerability/
0day: Windows Kernel EPATHOBJ Vulnerability : netsecExploit;Issue Tracking
-
http://www.theverge.com/2013/5/23/4358400/google-engineer-bashes-microsoft-discloses-windows-flaw
Google engineer publicizes Windows zero-day bug, claims Microsoft is 'difficult to work with' - The VergePress/Media Coverage
-
http://www.osvdb.org/93539
404 Not FoundBroken Link
-
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-053
Microsoft Security Bulletin MS13-053 - Critical | Microsoft DocsPatch;Vendor Advisory
-
http://archives.neohapsis.com/archives/fulldisclosure/2013-06/0006.html
Broken Link
-
http://secunia.com/advisories/53435
Sign inBroken Link;Vendor Advisory
-
http://www.computerworld.com/s/article/9239477
Google engineer bashes Microsoft's handling of security researchers, discloses Windows zero-day | ComputerworldBroken Link
-
http://www.exploit-db.com/exploits/25611/
Microsoft Windows - Win32k!EPATHOBJ::pprFlattenRec Uninitialized Next Pointer Testcase - Windows dos ExploitExploit;Third Party Advisory;VDB Entry
-
http://archives.neohapsis.com/archives/fulldisclosure/2013-05/0090.html
Broken Link
-
http://archives.neohapsis.com/archives/fulldisclosure/2013-05/0094.html
Broken Link
-
http://twitter.com/taviso/statuses/309157606247768064
Tavis Ormandy on Twitter: "Testing win32k under memory pressure, this causes an EPATHOBJ to end up in userspace. Anyone want to investigate? https://t.co/N5zgBYbPfN"Exploit
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17360
Repository / Oval RepositoryBroken Link
-
http://twitter.com/taviso/statuses/335557286657400832
Tavis Ormandy on Twitter: "I just realised a really cute trick to exploit the EPATHOBJ bug, make the list cycle, then a thread can clean up the pool, and patch it!"Not Applicable
-
http://www.us-cert.gov/ncas/alerts/TA13-190A
Microsoft Updates for Multiple Vulnerabilities | CISAThird Party Advisory;US Government Resource
Jump to