CVE-2017-0100

HIGH

Windows HelpPane - Privilege Escalation via DCOM Object

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-0100. PoCs published by Google Security Research, cssxn.

AI-analyzed exploit summary This C# PoC exploits CVE-2017-0100, a COM Session Moniker EoP vulnerability, by leveraging the IHxHelpPaneServer interface to execute arbitrary processes (e.g., notepad.exe) in another user's session without proper permission checks. It demonstrates the flaw by binding to a session moniker and executing a process in a different active session.

Description

A DCOM object in Helppane.exe in Microsoft Windows 7 SP1; Windows Server 2008 R2; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows local users to gain privileges via a crafted application, aka "Windows HelpPane Elevation of Privilege Vulnerability."

Exploits (2)

exploitdb WORKING POC VERIFIED

by Google Security Research · localwindows

https://www.exploit-db.com/exploits/41607

View Code ZIP pw:eip

This C# PoC exploits CVE-2017-0100, a COM Session Moniker EoP vulnerability, by leveraging the IHxHelpPaneServer interface to execute arbitrary processes (e.g., notepad.exe) in another user's session without proper permission checks. It demonstrates the flaw by binding to a session moniker and executing a process in a different active session.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows 10 14393, Server 2012 R2

Auth required

Prerequisites: Two non-admin users logged into the same machine · Active sessions for both users

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.003 - Sudo and Sudo Caching

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 10 stars

by cssxn · poc

https://github.com/cssxn/CVE-2017-0100

View Code ZIP pw:eip

This PoC exploits CVE-2017-0100 by leveraging the IHxHelpPaneServer COM interface to execute arbitrary commands via the Execute method. The code demonstrates a local privilege escalation by launching calc.exe through a crafted file:// URL.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Windows (affected versions)

No auth needed

Prerequisites: Access to a vulnerable Windows system

MITRE ATT&CK

T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (6)

Core 6

Core References

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/41607/

Issue Tracking x_refsource_misc

https://bugs.chromium.org/p/project-zero/issues/detail?id=1021

Various Sources x_refsource_misc

http://blog.inspired-sec.com/archive/2017/03/17/COM-Moniker-Privesc.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1038001

Patch, Vendor Advisory x_refsource_confirm

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0100

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/96700

Scores

CVSS v3 7.8

EPSS 0.0496

EPSS Percentile 91.1%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-287

Status published

Products (10)

microsoft/windows_10

microsoft/windows_10 1511

microsoft/windows_10 1607

microsoft/windows_7

microsoft/windows_8.1

microsoft/windows_rt_8.1

microsoft/windows_server_2008 r2

microsoft/windows_server_2012 r2

microsoft/windows_server_2016

Microsoft Corporation/Windows HelpPane Windows HelpPane in Microsoft Windows 7 SP1; Windows Server 2008 R2; Windows 8.1; Windows Server 201

Published Mar 17, 2017

Tracked Since Feb 18, 2026