PoC exploit for 0-day Windows Error Reporting Service bug (CVE-2023-36874) releases

Proof-of-concept (PoC) exploit code will be released for a zero-day vulnerability (CVE-2023-36874) allowing privilege escalation in Microsoft Windows.

The vulnerability (CVSS score of 7.8) affects the Windows Error Reporting Service (WER), a component that collects and sends error reports to Microsoft. The vulnerability exists due to a flaw in how WER handles specially crafted requests. An attacker could exploit this vulnerability by creating a malicious program that is designed to take advantage of the flaw. Once the malicious program is executed, the attacker could gain elevated privileges on the system. Microsoft says that the flaw was discovered by Vlad Stolyarov and Maddie Stone of Googles Threat Analysis Group (TAG)

CVE-2023-36874 isn’t just any vulnerability; it’s an actively exploited zero-day. This means the vulnerability was already being exploited in the wild even before any fix was released, or sometimes, before it was even publicly known. Such vulnerabilities are often prime targets for cybercriminals as they offer a window of opportunity before patches roll out.

However, exploiting this vulnerability isn’t as straightforward as one might think. Microsoft’s advisories note, “An attacker must have local access to the targeted machine and must be able to create folders and performance traces on the machine, with restricted privileges that normal users have by default.” This narrows down the threat vector, but by no means eliminates it. Given the footprint of Windows globally, even a slight vulnerability can translate to millions of at-risk devices.

Yesterday, security researcher d0rb warned Windows users that he created a proof-of-concept (PoC) exploit for CVE-2023-36874. He wrote:

Initialize COM by calling CoInitialize(NULL).

Create COM interfaces to interact with WER:

    Create an instance of CLSID_ERCLuaSupport to obtain an IErcLuaSupport interface.

    Use IErcLuaSupport to create an IWerStoreFactory instance.

    Create an IWerStore instance using IWerStoreFactory.

Start the report enumeration process by calling pIWerStore->EnumerateStart().

Load a report using pIWerStore->LoadReport function. Replace "ReportName" with the actual report name you want to exploit.

Submit the loaded report to trigger the vulnerability by calling pIWerReport->SubmitReport().

Release the COM interfaces and clean up the resources:

    pIWerReport->Release()

    pIWerStore->Release()

    pIWerStoreFactory->Release()

    pIErcLuaSupport->Release()

Uninitialize COM by calling CoUninitialize().

In response to the threat posed by CVE-2023-36874, Microsoft has been swift. Their July 2023 Patch Tuesday addressed and sealed this gap, providing users with the necessary armor against potential exploits. For businesses and individual users alike, it’s crucial to keep systems updated to avoid falling prey to such threats.

Update:

Another PoC for this flaw is available here.