CVE-2023-29360

What is the Microsoft Streaming Service?

The Microsoft Streaming Service (MSKSSRV.SYS) is a Windows kernel-mode driver that provides proxy services for kernel streaming (KS) — the multimedia subsystem used for audio/video capture and playback. It runs with SYSTEM privileges and accepts I/O control requests from user-mode applications. Because user-space code can interact with the driver, vulnerabilities that allow an untrusted caller to supply invalid pointers for the driver to dereference provide a reliable privilege escalation path from any user account to SYSTEM.

Overview

CVE-2023-29360 is an untrusted pointer dereference vulnerability in the Windows Streaming Service that allows a local attacker with no special privileges and no user interaction to escalate to SYSTEM. It was patched in June 2023 Patch Tuesday, but active exploitation was only confirmed and reported to CISA later — leading to KEV addition in February 2024. Microsoft attributed exploitation to a state-sponsored threat actor (consistent with North Korea's Lazarus Group activity patterns) in early 2024.

Affected Versions

Technical Details

An untrusted pointer dereference (CWE-822) occurs when a driver uses a value supplied by user-space code as a memory address (pointer) without validating that the address is legitimate. In MSKSSRV.SYS, when processing I/O control requests (DeviceIoControl calls), the driver accepts a structure containing a pointer field and dereferences it directly — reading from or writing to the attacker-controlled address as if it were a valid kernel object.

By supplying a carefully crafted pointer value that refers to attacker-controlled memory (or to a kernel structure at a known address via heap spray or other primitive), an attacker can:

1. Read arbitrary kernel memory: extract SYSTEM-level credentials, kernel addresses (to defeat ASLR), or token values.
2. Write to arbitrary kernel addresses: overwrite security token privileges, function pointers in kernel objects, or other control-flow-relevant data — escalating to SYSTEM code execution.

The CVSS reflects no privilege requirements (PR:N) and no user interaction (UI:N), making this a particularly clean exploitation primitive for any user with local code execution.

Discovery

Security researchers at Avast Threat Intelligence discovered exploitation of CVE-2023-29360 in the context of a sophisticated attack campaign and reported it to Microsoft and CISA. The February 2024 KEV addition was based on Avast's confirmation that the vulnerability was being actively exploited in the wild by a nation-state threat actor approximately eight months after the patch was released.

Exploitation Context

Microsoft and security researchers attributed exploitation of CVE-2023-29360 to North Korea's Lazarus Group (also called HIDDEN COBRA or APT38), who incorporated it into their post-exploitation toolkit after the June 2023 patch. Lazarus used this LPE bug as a second-stage privilege escalation following initial access via other means — consistent with their established pattern of using patched-but-unupdated vulnerabilities against organizations slow to apply Windows cumulative updates.

Remediation

1. Apply the June 2023 Windows cumulative update — this contains the fix for CVE-2023-29360. Systems still running June 2023 or older patch levels are actively targeted.
2. Maintain a regular patching cadence — nation-state actors like Lazarus Group specifically target organizations that lag on Windows cumulative updates; monthly patching eliminates this exposure.
3. Deploy endpoint detection capable of behavioral LPE detection — monitoring for low-privileged processes spawning SYSTEM-privileged children is an effective behavioral indicator.
4. Limit unnecessary local user access on sensitive systems — while this bug requires no privileges, reducing the number of users with interactive or RDP access to sensitive servers shrinks the attack surface.