Researcher to Release PoC for 0-day Windows CVE-2023-36036 Flaw

CVE-2023-36036 PoC

Proof-of-concept (PoC) exploit code is about to be published for the zero-day CVE-2023-36036 vulnerability that allows hackers to gain SYSTEM privileges. Rated with a CVSS score of 7.8, this high-severity Elevation of Privilege vulnerability has been fixed in Microsoft’s November 2023 Patch Tuesday.

This high-severity vulnerability resides within the Windows Cloud Files Mini Filter driver, a component crucial for cloud file storage. An attacker who successfully exploits this flaw can gain “SYSTEM” privileges, essentially becoming an all-powerful administrator on the compromised system.

The flaw was discovered internally by the Microsoft Threat Intelligence Microsoft Security Response Center. Also, it is not known how the flaw was abused in attacks or by what threat actor.

CVE-2023-36036 PoC

Security researcher Chestnuts4 announced last week that he released a technical report for CVE-2023-36036 and will likely manage to create a working proof-of-concept (PoC) exploit code for this flaw this week.

At the heart of this vulnerability lies a boundary-writing issue within the Windows Cloud Files Mini Filter driver. This flaw surfaces during the parsing of Reparse point data, exacerbated by the memcpy function’s user-controllable length parameter and manageable source memory. Such a configuration opens the door for attackers to craft and transmit malicious structures, leading to out-of-bounds writing and, frighteningly, the execution of arbitrary code within the kernel.

Researchers believe this vulnerability was relatively simple to exploit due to a lack of proper validation. Before using the memcpy function to copy data, the code failed to verify the length of the data being copied. This oversight allowed attackers to inject malicious data that triggered the out-of-bounds write and gained SYSTEM privileges.

Upon dissecting this vulnerability, its principle and activation method appear deceptively straightforward. The absence of a length verification mechanism before the use of memcpy emerges as a critical oversight. Yet, the solution is elegantly simple: a pre-decompression length check. If the data length exceeds 0x4000, it is flagged as erroneous, thwarting the vulnerability at its inception.

Security researcher Chestnuts4 has publicly announced the release of a technical report and indicated they may upload a working exploit code this week.

In response, Microsoft has swiftly deployed a patch as part of its November Patch Tuesday security update. The designation of this flaw as a zero-day vulnerability underscores its urgency and the immediate need for users to apply the provided security measures.