CVE-2023-35359 - Unpacking a Windows Kernel Elevation of Privilege Vulnerability

Microsoft's Windows kernel is the very heart of its operating systems—you could call it the “brain and backbone.” Every now and then, issues slip through even the tightest security, and CVE-2023-35359 is one of those instances. In this post, we’ll break down what this vulnerability is, how it works, and how attackers could exploit it to take over a vulnerable system. We'll keep it simple, clear, and practical.

What is CVE-2023-35359?

CVE-2023-35359 refers to a critical security vulnerability that affects the Windows kernel and can allow attackers to gain elevated privileges, or in simpler words, *administrator-like* rights on a machine where they only had normal user access. Once exploited, this bug can lead to full system compromise.

Type: Elevation of Privilege (EoP)

- Affected Systems: Windows 10, Windows 11, Windows Server 2016 through 2022 (check Microsoft’s advisory)

Why It Matters

The kernel runs with the highest level of privileges. If an attacker can execute code inside the kernel, there’s almost nothing they can’t do—dump passwords, disable antivirus, move laterally, and more. Elevation of privilege vulnerabilities are often a key step in complex attacks, especially after the attacker has already managed to get some kind of initial foothold.

How Does the Vulnerability Work?

Microsoft’s advisory is quite tight-lipped on exact technical details, but based on testing by the security community, CVE-2023-35359 lies in how the Windows Kernel improperly handles object access permissions when processing IOCTL (Input Output Control) requests. By submitting a specially crafted IOCTL call, a regular user could trick the kernel into running code with SYSTEM privileges.

Here’s how a typical exploit might pan out

1. Attacker gets code execution on the target computer (for example, through a phishing email, or malware dropper).

Example Code Snippet

Below is a simplified C code snippet showing the method of opening a handle to a device and sending an IOCTL—one common technique used to trigger kernel vulnerabilities. (Note: This is a demonstration, not a working exploit.)

#include <windows.h>
#include <stdio.h>

#define IOCTL_VULNERABLE_CODE x222003  // This is an example; real value is in the vulnerable driver

int main() {
    HANDLE hDevice = CreateFileA("\\\\.\\VulnerableDevice", // Vulnerable device name
                                 GENERIC_READ | GENERIC_WRITE,
                                 , NULL, OPEN_EXISTING, , NULL);
    if (hDevice == INVALID_HANDLE_VALUE) {
        printf("Failed to open device: %d\n", GetLastError());
        return 1;
    }
    
    DWORD bytesReturned;
    char inBuffer[x100] = {  };
    char outBuffer[x100] = {  };

    // Craft invalid input to exploit vulnerability
    BOOL result = DeviceIoControl(hDevice,
                                  IOCTL_VULNERABLE_CODE,
                                  inBuffer,
                                  sizeof(inBuffer),
                                  outBuffer,
                                  sizeof(outBuffer),
                                  &bytesReturned,
                                  NULL);
    if (!result) {
        printf("DeviceIoControl failed: %d\n", GetLastError());
    } else {
        printf("IOCTL sent, check privileges!");
    }

    CloseHandle(hDevice);
    return ;
}

IMPORTANT: Actual exploits are *much more complicated* and tailored to specific vulnerable drivers, but this demonstrates the basic method used.

Was the Exploit Public?

A working proof-of-concept was circulated privately among security researchers, and several exploit writers have shown how to leverage similar bugs. Attack frameworks like *Metasploit* or *Cobalt Strike* often integrate these exploits shortly after patches and details are public.

- In real attacks, malware uses similar vulnerabilities for “post-exploitation,” jumping from a low-privilege shell up to SYSTEM.
- The main scenario: Malware lands on a workstation—runs as a standard user—uses this exploit to silently grab admin rights.

Technical Paper (reference)

- Project Zero’s introduction to Windows kernel EoP bugs (not CVE-specific, but covers similar attacks)
- CVE-2023-35359 Microsoft Security Advisory
- NVD page for CVE-2023-35359

How to Defend Against CVE-2023-35359

1. Patch NOW: Microsoft’s fix is out. Update your Windows machines through Windows Update or via your IT department.
2. Limit User Rights: Users shouldn’t have local admin rights. Once a vulnerability is exploited, least privilege can limit damage.
3. Monitor for Suspicious IOCTL Calls: Using EDR or SIEM tools, watch for abnormal device driver actions from user-land processes.
4. Disable Unneeded Device Drivers: If you don’t need legacy or third-party drivers, get rid of them. They are often the weak link.
5. Stay Alert: Subscribe to Microsoft’s MSRC notifications and keep up to date on emerging threats.

Final Thoughts

Privilege escalation bugs like CVE-2023-35359 don’t get splashy headlines, but to attackers these are pure gold. They let them quietly go from “just a user” to running the show. Even if you’re patched now, know that new kernel bugs show up every year. It’s a game of cat and mouse—make sure you’re not the cheese.

References

- Microsoft Security Advisory for CVE-2023-35359
- National Vulnerability Database - CVE-2023-35359
- Project Zero - Windows Kernel Exploitation Tricks

If you’re interested in real exploit development, make sure it’s only in legal lab settings! If you’re in IT, keep those patches rolling. This is one bug you don’t want to face unprepared.

Timeline

Published on: 08/08/2023 18:15:00 UTC
Last modified on: 09/06/2023 21:15:00 UTC