CVE-2013-3660

What is Microsoft Win32k?

Win32k.sys is the kernel-mode component of the Windows graphics and windowing subsystem. It processes GDI (Graphics Device Interface) operations — drawing shapes, text, and paths — on behalf of user-mode applications. Because win32k operates in ring 0 (kernel mode), vulnerabilities in it allow local users to escalate privileges from user mode to kernel mode (ring 0), bypassing all user-mode security boundaries. Win32k has been a persistent source of Windows privilege escalation vulnerabilities over many years.

Overview

CVE-2013-3660 is a privilege escalation vulnerability in win32k.sys's EPATHOBJ::pprFlattenRec function. When win32k processes complex graphics paths, it iterates a linked list of path records. A flaw in the linked list traversal leaves a "next" pointer uninitialized at the end of the list, which under specific conditions allows a local user to exploit the resulting pointer to write attacker-controlled values into arbitrary kernel memory. This enables any local user or process to execute code at ring-0 (kernel) privilege and gain SYSTEM access.

Tavis Ormandy publicly disclosed this vulnerability with proof-of-concept code in May 2013. Microsoft patched it in MS13-054 in August 2013 — approximately 87 days after public disclosure.

Affected Versions

Technical Details

The Windows GDI path flattening routines in win32k.sys process complex Bezier curve paths by converting them into a series of line segments. This flattening operation uses EPATHOBJ objects arranged in a singly-linked list. The EPATHOBJ::pprFlattenRec function iterates through this list to flatten each record in turn.

The vulnerability: when pprFlattenRec processes the last record in the list, it fails to properly initialize the pprNext pointer for the newly-created flattened record — the pointer is left uninitialized (containing stale data from the stack or heap). Under a carefully constructed path with many records, the function eventually traverses back to the uninitialized pointer, treating it as a valid pointer to a kernel object.

Exploitation: By controlling the stale pointer value (through heap manipulation or predictable stack values), an attacker can cause the kernel to treat attacker-controlled data as an EPATHOBJ object. The result is an arbitrary kernel write primitive — the attacker can modify any kernel address they choose. A standard next step is overwriting a security token or the SYSTEM process's credential structure to acquire SYSTEM privileges.

Public disclosure: Tavis Ormandy (Google Project Zero/Security Team) publicly released a proof-of-concept exploit in May 2013. The 87-day gap between public disclosure and Microsoft's patch meant the vulnerability was exploitable by any attacker with access to the PoC for nearly three months.

Discovery

Discovered by Tavis Ormandy and publicly disclosed on May 22, 2013 along with a working proof-of-concept. The disclosure before patch availability made this a de facto public 0-day for its unpatched window.

Exploitation Context

CISA confirmed exploitation in the wild. A public working proof-of-concept accelerated uptake among attackers. Win32k privilege escalation vulnerabilities like CVE-2013-3660 serve as sandbox escape components — attackers who achieve code execution inside a sandboxed process (e.g., via a browser or PDF reader vulnerability) use the LPE to escape the sandbox and gain full system access.

Remediation

1. Apply MS13-054 (August 2013 Patch Tuesday) — patches win32k.sys
2. Ensure Windows Update is fully current; win32k vulnerabilities are frequently part of chained attacks
3. Apply OS-level mitigations: EMET (on older Windows) or Windows Defender Exploit Guard — these add stack protection and ROP mitigations that raise the cost of exploit chain development
4. Enforce least-privilege: users running as standard users (not local admin) cannot leverage an LPE to gain domain or enterprise-wide access without further exploitation steps
5. Segment workstations to limit blast radius from compromise