In this article, we will deep dive into the details of the Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege vulnerability, also known as CVE-2023-21674. We will look into the internal workings of the vulnerability, explore the code snippets that exploit the vulnerability, and provide links to pertinent reference materials.

CVE-2023-21674: Vulnerability Overview

The Windows ALPC Elevation of Privilege vulnerability (CVE-2023-21674) is a security flaw that allows malicious actors to exploit the Windows Advanced Local Procedure Call (ALPC) mechanism to obtain elevated privileges on a targeted system. This vulnerability originates from improper handling of object creation that leads to an elevation of privilege affecting the Windows operating system. An attacker can exploit this vulnerability by first gaining code execution on the victim machine and then leveraging this vulnerability to increase the scope of the damage caused by the attack.

Attacker gains code execution on the victim machine.

2. Attacker grants himself the SeImpersonatePrivilege and SeAssignPrimaryTokenPrivilege permissions.

Attacker creates a malicious ALPC port.

4. Attacker forges an ALPC request to a vulnerable system worker factory function with a malicious payload.
5. The exploited function executes the payload with system privileges, allowing the attacker to elevate their privileges on the system.

Exploit Details

1. Code Execution: To begin with the exploit, the attacker must first gain an initial foothold on the victim's system, which could be achieved through various means such as social engineering, phishing, or exploiting a different vulnerability.

2. Granting Necessary Permissions: The attacker needs to grant himself two permissions - SeImpersonatePrivilege and SeAssignPrimaryTokenPrivilege. These permissions are granted either through process token manipulation or by leveraging another Windows exploit that abuses the privileges.

3. Creating a Malicious ALPC Port: The attacker then creates an ALPC port with a malicious payload. This payload will be executed by the exploited function with elevated privileges.

NTSTATUS status;
HANDLE hPort;

status = NtAlpcCreatePort(
    &hPort,
    &ObjectAttributes,
    &PortAttributes    // malicious payload details in PortAttributes
);

4. Forging ALPC Request with Malicious Payload: To exploit the vulnerability, the attacker needs to forge an ALPC request targeting the vulnerable worker factory function in the system. This can be done by using functions like NtAlpcSendWaitReceivePort and providing the malicious payload in the request.

NTSTATUS status;

status = NtAlpcSendWaitReceivePort(
    hPort, 
    ,
    &RequestMessage,  // Malicious ALPC request
    NULL, 
    &ReplyMessage, 
    NULL,
    NULL, 
    NULL
);

5. Execution of Malicious Payload with System Privileges: The exploited worker factory function will, in turn, execute the malicious payload provided in the ALPC request. This leads to the attacker's code being executed with SYSTEM privileges, allowing the attacker to perform actions otherwise restricted.

CVE-2023-21674 Advisory

More technical details about the ALPC mechanism can be found in the Microsoft documentation

Windows ALPC Reference

Conclusion

The Windows ALPC Elevation of Privilege vulnerability (CVE-2023-21674) is a serious security flaw that attackers can exploit to elevate their privileges on a targeted system. Understanding the steps involved in exploiting this vulnerability, as well as the code snippets and reference materials provided herein, will help security professionals to better protect their systems and improve their security posture.

Timeline

Published on: 01/10/2023 22:15:00 UTC
Last modified on: 01/18/2023 02:31:00 UTC