CVE-2023-36033

What is Windows Desktop Window Manager?

Windows Desktop Window Manager (DWM) is the compositing window manager in Windows Vista and later that renders the Windows graphical user interface — handling window borders, the taskbar, Aero Glass effects, transparency, and all visual compositing of the desktop. DWM runs as a system service (dwm.exe) with elevated privileges. Because DWM processes content from all running applications and has direct access to graphics hardware and session management, local privilege escalation vulnerabilities in DWM are particularly impactful: they can be exploited by a low-privilege process to escalate to SYSTEM-level access without any user interaction. Windows DWM has been a recurring target for privilege escalation vulnerabilities, with multiple DWM CVEs appearing in CISA KEV across 2023 and 2024.

Overview

CVE-2023-36033 is a zero-day local privilege escalation vulnerability in the Windows Desktop Window Manager (DWM) Core Library that allows a low-privilege local attacker to escalate to SYSTEM privileges. Microsoft patched it on November 14, 2023 (Patch Tuesday) alongside CVE-2023-36025 (Windows SmartScreen bypass) and CVE-2023-36036 (another DWM Core Library LPE zero-day patched in the same Patch Tuesday) — an unusual simultaneous disclosure of three zero-days in one Patch Tuesday. CISA added all three to KEV the same day. The simultaneous DWM LPEs (CVE-2023-36033 and CVE-2023-36036) and the SmartScreen bypass (CVE-2023-36025) being exploited together suggests attack chains that combined initial code execution delivery with local privilege escalation to SYSTEM.

Affected Versions

Technical Details

CWE-822 (Untrusted Pointer Dereference). Windows DWM Core Library contains a vulnerability involving the use of an uninitialized or untrusted memory pointer. DWM processes various window management messages and graphics operations from applications running in the current user session. A flaw in how certain operations handle memory pointers allows a low-privilege process to pass a crafted message or data structure to DWM that causes DWM to dereference an attacker-controlled pointer — writing or executing code at the attacker-specified address within the elevated DWM process context.

Because DWM runs with SYSTEM privileges, an attacker who achieves controlled code execution within the DWM process (by exploiting the untrusted pointer dereference) gains SYSTEM-level access on the Windows host. The AV:L (Local) and PR:L (Low Privileges Required) reflect that this is a local escalation — it requires a process already running on the machine, but requires only standard user privileges to exploit.

CVE-2023-36033 and CVE-2023-36036 are separate DWM vulnerabilities patched simultaneously — the fact that Microsoft patched two distinct DWM LPE zero-days in the same Patch Tuesday indicates sophisticated attackers had multiple independent paths to DWM privilege escalation.

Discovery

Discovered by Quan Jin (@jq0904) of DBAppSecurity WeBin Lab, who reported the vulnerability to Microsoft. The zero-day status (exploited before patch) indicates that the vulnerability was found during active exploitation investigation, not proactive security research alone.

Exploitation Context

CVE-2023-36033 was exploited in the wild before Microsoft's November 2023 Patch Tuesday patch. The simultaneous exploitation of CVE-2023-36033 (DWM LPE), CVE-2023-36036 (second DWM LPE), and CVE-2023-36025 (SmartScreen bypass) suggests threat actors operating sophisticated attack chains:

1. CVE-2023-36025 (SmartScreen bypass) → deliver initial malware payload without user warning
2. CVE-2023-36033 or CVE-2023-36036 (DWM LPE) → escalate from user-level malware process to SYSTEM

The DBatLoader/ModiLoader malware campaign was documented using similar Windows zero-day chains in this period to deliver information stealers and remote access tools with SYSTEM-level persistence. Having SYSTEM access allows malware to disable security software, add persistence mechanisms that survive user logoffs, and access all data on the system.

Remediation

1. Apply November 2023 Windows cumulative security updates immediately — the patch for CVE-2023-36033 is included in the November 14, 2023 Patch Tuesday updates.
2. Also apply patches for CVE-2023-36036 (second DWM LPE, same Patch Tuesday) and CVE-2023-36025 (SmartScreen bypass) — all three zero-days from November 2023 Patch Tuesday should be applied together.
3. Enable Windows Automatic Updates or deploy via WSUS/SCCM to ensure cumulative updates are applied promptly across all Windows endpoints.
4. Monitor for privilege escalation indicators: processes running as SYSTEM that originated from user-level processes, unexpected SYSTEM-level process executions, or new services installed without administrative action.
5. Deploy and maintain endpoint detection and response (EDR) solutions capable of detecting DWM-based privilege escalation behaviors.