CVE CyberSecurity Database News

CVE-2023-29363 - Exploiting a Critical PGM RCE Vulnerability in Windows

Poster -

In June 2023, Microsoft patched a critical vulnerability, CVE-2023-29363, that resided in the Pragmatic General Multicast (PGM) implementation in Windows. This bug could allow remote code execution (RCE) on affected systems. This post explains the technical details, demonstrates how an attacker could exploit the flaw, and shares references for further research. This write-up is crafted in simple language to help everyone understand the risk and the attack.

What Is PGM?

PGM stands for Pragmatic General Multicast. It’s a network protocol supported by Windows (mostly geared towards enterprise software like Microsoft Message Queuing). It allows packets to be sent from one sender to multiple receivers at once.

While not usually enabled by default, it is installed on many Windows servers and can be manually enabled on Windows workstations.

The Vulnerability: CVE-2023-29363

Microsoft disclosed CVE-2023-29363 as a remote code execution bug in Windows’ handling of PGM network traffic. Here’s the summary from Microsoft:

> A remote, unauthenticated attacker can send a specially crafted file over the network to execute arbitrary code on the system.

The root cause is an improper memory handling error when processing PGM packets. If exploited, attackers can run code with SYSTEM privileges – the highest level possible in Windows.

Technical Details

Although Microsoft did not officially publish a proof-of-concept exploit, security analysts and reverse engineers have provided technical insights.

Where’s the Bug?

The problem exists inside the way that the PGM driver parses incoming protocol packets.

In affected versions, the code does not properly validate the length and content of UDP packets on ports 6891–690 (default PGM port range). Because of this, an attacker can cause a memory overwrite condition.

Exploit Concept (Simple Example)

Below is a simplified attack *concept*; since active exploitation of this flaw poses significant risk, we’ll only show a *simulated* payload.

import socket

PGM_PORT = 6891

# Prepare a malicious PGM packet (NOTE: Placeholder, not real exploit code)
malicious_packet = b'\x00' * 140 + b'\xef\xbe\xad\xde'  # Overlong data

s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
target = ("victim_IP", PGM_PORT)  # Replace with the victim's IP

# Send multiple crafted packets
for _ in range(10):
    s.sendto(malicious_packet, target)

print("Malicious packets sent to PGM port")

*This code would only work if:*

Protections (firewalls, updated patches) are NOT present

For ethical reasons, real exploitation details are omitted. For full technical exploitation research, see below references.

Defensive Moves

- PATCH IMMEDIATELY! – Install Microsoft’s June 2023 Security Updates

References & Further Reading

- Microsoft Security Advisory – CVE-2023-29363
- ZDI Advisory (ZDI-23-721): Windows PGM RCE
- Trend Micro Research Blog: Kernel Bugs in Windows Message Queuing Protocol
- Exploit Database (Search PGM CVEs)

TL;DR

CVE-2023-29363 is a critical remote code execution bug in Windows’ PGM protocol handler. Only systems with PGM enabled are at risk, but successful exploitation means full remote compromise of Windows machines. Patch now, disable PGM if not needed, and block the related UDP ports!

If you’re a sysadmin or InfoSec professional, use this as a reminder: Network services you “never use” can still bite you. Turn off, patch, protect.

Timeline

Published on: 06/14/2023 00:15:00 UTC
Last modified on: 06/20/2023 19:59:00 UTC