Share
## https://sploitus.com/exploit?id=2E1E7548-DCD8-5F90-8769-9716BCD64AAA
First in-the-wild 0-day of 2023 ๐ฅ
CVE-2023-21674 is a vulnerability in Windows Advanced Local Procedure Call (ALPC) that could lead to a browser sandbox escape and allow attackers to gain SYSTEM privileges discovered by Avast
-------------------------------------------------------------------------------------------------------------------------
```md
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffff98061bbf8820, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff8021a7120a4, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000002, (reserved)
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : AV.Type
Value: Read
Key : Analysis.CPU.mSec
Value: 1562
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 1654
Key : Analysis.Init.CPU.mSec
Value: 421
Key : Analysis.Init.Elapsed.mSec
Value: 13937
Key : Analysis.Memory.CommitPeak.Mb
Value: 76
Key : WER.OS.Branch
Value: ni_release
Key : WER.OS.Timestamp
Value: 2022-05-06T12:50:00Z
Key : WER.OS.Version
Value: 10.0.22621.1
FILE_IN_CAB: MEMORY - Copy.DMP
DUMP_FILE_ATTRIBUTES: 0x1000
BUGCHECK_CODE: 50
BUGCHECK_P1: ffff98061bbf8820
BUGCHECK_P2: 0
BUGCHECK_P3: fffff8021a7120a4
BUGCHECK_P4: 2
READ_ADDRESS: ffff98061bbf8820 Special pool
MM_INTERNAL_CODE: 2
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
PROCESS_NAME: CVE-2023-21674-POC.exe
TRAP_FRAME: ffff838564a3f660 -- (.trap 0xffff838564a3f660)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff9805f9a9c600 rbx=0000000000000000 rcx=ffff98061bbf8600
rdx=ffff9805f0492f24 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8021a7120a4 rsp=ffff838564a3f7f0 rbp=0000000000000000
r8=0000000000000000 r9=ffff838564a3f920 r10=0000000000000000
r11=0000000000000001 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
nt!SeCreateClientSecurity+0x54:
fffff802`1a7120a4 4c8bb120020000 mov r14,qword ptr [rcx+220h] ds:ffff9806`1bbf8820=????????????????
Resetting default scope
STACK_TEXT:
ffff8385`64a3f438 fffff802`1a480701 : 00000000`00000050 ffff9806`1bbf8820 00000000`00000000 ffff8385`64a3f660 : nt!KeBugCheckEx
ffff8385`64a3f440 fffff802`1a24fe4c : 00000000`00000000 00000000`00000000 ffff8385`64a3f5f9 00000000`00000000 : nt!MiSystemFault+0x2337d1
ffff8385`64a3f540 fffff802`1a437ddd : ffff8385`64a3f6c0 fffff802`1a27419e 00000000`00000000 ffff9805`dd22f000 : nt!MmAccessFault+0x29c
ffff8385`64a3f660 fffff802`1a7120a4 : 00000000`00001301 ffffb989`a4084ce0 00000000`00000000 00000000`000009e8 : nt!KiPageFault+0x35d
ffff8385`64a3f7f0 fffff802`1a711dba : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!SeCreateClientSecurity+0x54
ffff8385`64a3f890 fffff802`1a711b9e : ffff9805`fbffee20 ffff8385`64a3fb20 ffff9805`fbffee20 00000000`00000000 : nt!AlpcpImpersonateMessage+0x11a
ffff8385`64a3f9c0 fffff802`1a43b968 : 00000000`000000d4 ffff9805`fbffee20 00000000`00000000 00000000`00001210 : nt!NtAlpcImpersonateClientOfPort+0x15e
ffff8385`64a3faa0 00007fff`bc8cfe24 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28
000000da`8352f238 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`bc8cfe24
SYMBOL_NAME: nt!SeCreateClientSecurity+54
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
STACK_COMMAND: .cxr; .ecxr ; kb
BUCKET_ID_FUNC_OFFSET: 54
FAILURE_BUCKET_ID: AV_VRFK_R_(null)_nt!SeCreateClientSecurity
OS_VERSION: 10.0.22621.1
BUILDLAB_STR: ni_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {9ec8eba5-8500-2db9-9fec-a2667249961f}
Followup: MachineOwner
---------
```