In early 2023, security researchers uncovered a serious vulnerability that affects Windows users who rely on Point-to-Point Protocol over Ethernet (PPPoE) for their internet connections. The flaw, cataloged as CVE-2023-23385, allows attackers to gain elevated privileges — essentially letting them act as system administrators without permission. This post explains the vulnerability in plain, easy-to-understand language, shares code samples tied to exploitation, and offers resources for learning more.

What is PPPoE and Why Does It Matter?

PPPoE is a networking protocol often used by ISPs to manage connections, especially in DSL and fiber environments. Despite the rise of always-on broadband, PPPoE is still in use in residential, business, and even some datacenter networks.

On Windows, the PPPoE service runs with SYSTEM privileges. That means if someone finds a way to subvert how Windows handles PPPoE sessions or related traffic, they could potentially take control of the entire system.

About CVE-2023-23385

CVE-2023-23385 refers to a bug in the way Windows implements PPPoE session management. Attackers who already have a foothold — say, by running code as a regular user — can exploit this flaw to bump themselves up to SYSTEM, which is the highest privilege level on Windows.

How Does the Exploit Work?

In short, the vulnerability occurs because Windows doesn’t properly validate certain parameters in PPPoE packets. If an attacker can send specially crafted network traffic, or trick the Windows PPPoE service into parsing malicious data, the service may perform unintended actions.

Crafts a malicious PPPoE discovery packet or manipulates network configuration files.

3. Triggers processing by the PPPoE service (RasMan), which mishandles the data and runs attacker code as SYSTEM.

Example Exploit Code (Conceptual)

> ⚠️ Warning: This example is for educational purposes only. Never use exploits against systems you don’t own or have permission to test.

One path to exploitation involves crafting a malicious network packet or using a custom PPPoE client. The Windows system service listens for certain PPPoE messages during interface setup.

Below is a simplified C snippet demonstrating how an attacker might interact with the PPPoE service

#include <windows.h>
#include <ras.h>
#include <raserror.h>
#include <stdio.h>

// Prepare malicious PPPoE session parameters
RASDIALPARAMS rdp = {};
rdp.dwSize = sizeof(RASDIALPARAMS);
strcpy(rdp.szEntryName, "MaliciousEntry");

// Overwrite buffer with crafted data
memset(rdp.szPhoneNumber, 'A', sizeof(rdp.szPhoneNumber) - 1);

// Attempt to trigger vulnerability via RasDial
HRASCONN hRasConn = NULL;
DWORD res = RasDial(NULL, NULL, &rdp, , NULL, &hRasConn);

if (res != ERROR_SUCCESS) {
    printf("Attack failed: %d\n", res);
} else {
    printf("Attack may have succeeded\n");
}

This code intentionally overflows the szPhoneNumber field to test if the PPPoE service (RasMan) improperly trusts user data.

Original References

- Microsoft Security Advisory
- NVD Database Entry
- ZDI Blog “Multiple Vulnerabilities in Windows PPPoE”

Real-World Impact

If this vulnerability isn’t patched, an attacker with a regular user account could compromise an entire Windows system just by manipulating PPPoE network traffic or exploiting the local PPPoE interface. This could result in:

Mitigation

Microsoft has released patches for all affected platforms. Update your system immediately:

Run Windows Update

- Or download updates directly from the MSRC page.

If you don’t use PPPoE, you can also disable the affected service until you’re patched

Stop-Service RasMan
Set-Service RasMan -StartupType Disabled

Conclusion

CVE-2023-23385 is a real threat for networks using PPPoE — especially in shared, enterprise, or ISP environments. Exploiting this bug isn’t trivial, but public proof-of-concept code is likely to exist. The best defense is to patch fast and audit your exposures.

Stay safe, update often, and monitor your network for suspicious PPPoE activity!

More links to learn:  
- What is PPPoE?
- Microsoft: How to Use PPPoE on Windows

Timeline

Published on: 03/14/2023 17:15:00 UTC
Last modified on: 03/23/2023 16:59:00 UTC