CVE-2013-3661
Microsoft Windows - Denial of Service via EPATHOBJ::bFlatten Path Traversal
Title source: llmExploitation Summary
EIP tracks 3 public exploits for CVE-2013-3661. PoCs published by Metasploit, Tavis Ormandy.
AI-analyzed exploit summary This Metasploit module exploits a local privilege escalation vulnerability in Windows (CVE-2013-3660) by leveraging uninitialized data in EPATHOBJ::pprFlattenRec to corrupt memory and escalate privileges to SYSTEM. It includes process migration and payload execution capabilities.
Description
The EPATHOBJ::bFlatten function in win32k.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT does not check whether linked-list traversal is continually accessing the same list member, which allows local users to cause a denial of service (infinite traversal) via vectors that trigger a crafted PATHRECORD chain.
Exploits (3)
This Metasploit module exploits a local privilege escalation vulnerability in Windows (CVE-2013-3660) by leveraging uninitialized data in EPATHOBJ::pprFlattenRec to corrupt memory and escalate privileges to SYSTEM. It includes process migration and payload execution capabilities.
This exploit targets a memory corruption vulnerability in the Windows kernel (win32k.sys) via the EPATHOBJ::pprFlattenRec function, allowing local privilege escalation by manipulating PATHRECORD structures through GDI operations like PolyDraw and FlattenPath.
This exploit leverages a race condition in the Windows kernel's EPATHOBJ::bFlatten function to achieve arbitrary memory writes, leading to a SYSTEM privilege escalation. The PoC uses a watchdog thread to patch a compromised linked list while the kernel is stuck in a loop, demonstrating a reliable LPE on Windows 8.