Researchers Release PoC Exploit for Windows XAML Diagnostics EoP Flaw
Proof-of-concept (Poc) code has been released for a now-patched important-severity security flaw, CVE-2023-36003, in the Windows XAML Diagnostics that the security researcher Michael Maltsev reported to Microsoft in July last year.
With a CVSS score of 6.7, this flaw is described as the elevation of privilege within Windows systems. Patched as part of Microsoft’s December 2023 updates, it affected an array of Windows versions, including the latest builds of Windows 10 and Windows 11.
The crux of the issue lay in the InitializeXamlDiagnosticsEx API. Introduced in Windows 10 1703, this API was designed for diagnostic purposes, allowing for the inspection of applications using Extensible Application Markup Language (XAML) for their UI—a common choice for many modern Windows applications, including staples like Task Manager and Windows Terminal.
The vulnerability stemmed from a lack of adequate security checks within the InitializeXamlDiagnosticsEx API. This oversight permitted a non-elevated process to inject a DLL into any other process supported by the API. The implications were alarming: a regular user could potentially gain SYSTEM privileges.
Exploitation scenarios included targeting running elevated processes like the Task Manager in Windows 11 22H2 or the Windows Terminal. These applications, often opened with elevated privileges, became prime targets for attackers seeking to escalate their access levels.
Furthermore, the vulnerability could be exploited to bypass User Interface Privilege Isolation (UIPI) by targeting a UIAccess process. This method didn’t even require User Account Control (UAC) interference, making it a stealthy approach for attackers.
Adding to the severity, Michael Maltsev released a Proof-of-Concept (PoC) code, demonstrating the practical application of CVE-2023-36003. Accompanied by a short video, the PoC provided a real-world insight into how the vulnerability could be exploited, underscoring the urgency for users to update their systems with the latest security patches.
