PoC Released for Zero-Click CVE-2023-35628 Vulnerability in Microsoft Windows

Akamai researcher Ben Barnea has released the technical details and proof-of-concept (PoC) for a severe CVE-2023-35628 vulnerability in Microsoft Windows, specifically affecting Outlook clients and potentially exploitable through Windows Explorer. With a CVSS score of 8.1, this flaw is uniquely dangerous because it can be exploited without any user interaction, posing a significant threat to users across the globe.

This vulnerability, residing within how Windows processes certain file paths, presents two major risks:

1. Zero-Click Attacks on Outlook: An attacker could send a maliciously crafted email that, when simply opened in Outlook, would trigger the exploit without the user needing to click any links or download files.

2. System Instability and Compromise: The exploit could force Windows Explorer to crash. Additionally, skilled attackers may leverage it to execute malicious code on vulnerable systems, potentially gaining unauthorized access to sensitive data.

How the Vulnerability Works

The vulnerability emerges from a flaw in how Windows parses file paths, specifically within the CreateUri function. An attacker can exploit this by either sending a specially crafted email to an Outlook client or by inducing a user to navigate to a maliciously crafted folder in Windows Explorer.

The core of the vulnerability lies in the handling of file paths. When the CrackUrlFile function in Windows receives a URL, it transforms it into a Windows path and modifies the memory handling based on the path’s nature. The problem arises when the function improperly frees a memory pointer that has been reallocated, leading to a scenario where malicious memory manipulation is possible.

Triggering the Vulnerability

The exploitation process involves crafting a file scheme URL that coerces the system into recognizing it as a local drive path. An example of such a URL is:

file://./UNC/C:/Akamai.com/file.wav

This URL, when processed, leads to incorrect memory management, allowing an attacker to potentially insert malicious code into memory spaces that the system then erroneously attempts to free.

Ben Barnea and his team at Akamai have also provided a proof of concept (PoC) that demonstrates the CVE-2023-35628 vulnerability. This PoC can trigger a crash in Windows Explorer by simply viewing a directory containing a malicious shortcut file. Users and administrators are urged to review this research carefully to understand the vulnerability and assess the risk to their systems.

Protecting Yourself

Microsoft has released a patch addressing this issue as part of their December 2023 Patch Tuesday updates. Users are strongly urged to apply this update immediately to protect their systems. Furthermore, Outlook users whose organizations use Exchange mail servers that have been updated with a March 2023 patch have enhanced protection.