Skip to content

tandasat/CVE-2023-36427

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 0 tags
Code

Latest commit

@tandasat
tandasat Update README.md
d73f04a Nov 22, 2023
Update README.md
d73f04a

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
PoC
Add all files
November 14, 2023 20:37
.gitattributes
Add all files
November 14, 2023 20:37
LICENSE
Initial commit
October 9, 2023 09:55
README.md
Update README.md
November 22, 2023 07:31
report.md
Add all files
November 14, 2023 20:37
CVE-2023-36427 Timeline

README.md

CVE-2023-36427

This repo contains the report and exploit of CVE-2023-36427, memory corruption at arbitrary physical addresses from the root partition on Windows. The details and exploit of the vulnerability are in the report sent to Microsoft.

Demo

Timeline

  • July 2 - Sent a report to a friend of mine at Microsoft.
  • July 11 - Received a reply from a member of the team responsible for the issue.
  • August 8 - Received a proposal to make the disclosure date November 14.
  • August 9 - Agreed with the proposal.
  • November 14 - The fix was released.
  • November 15 - Disclosed the issue. Notified that the issue was eligible for a 2000 USD bounty award.

Thanks MSRC for transparent communication, the engineering team for fixing this on time, and Andrea (@aall86) for helping me share the issue and connecting with the right folks within Microsoft.

About

Report and exploit of CVE-2023-36427

tandasat.github.io/blog/2023/11/19/CVE-2023-36427.html

Resources

Readme

License

MIT license
Activity

Stars

78 stars

Watchers

3 watching

Forks

14 forks
Report repository

Languages