CVE CyberSecurity Database News

CVE-2023-35367 - Understanding, Exploiting, and Mitigating Windows RRAS Remote Code Execution Vulnerability

Poster -

In June 2023, Microsoft patched a significant vulnerability—CVE-2023-35367—in the Windows Routing and Remote Access Service (RRAS). This flaw could enable remote attackers to run arbitrary code with system privileges on vulnerable systems. Below, we’ll break down the vulnerability, show simple exploitation concepts (for educational and defensive purposes), and share how to protect your systems.

What is CVE-2023-35367?

CVE-2023-35367 is a Remote Code Execution (RCE) vulnerability in Windows' Routing and Remote Access Service (RRAS)—a feature often used for VPN and network routing capabilities. The RRAS service accepts and processes specially crafted network packets. An attacker who manages to send malicious packets to a target machine with RRAS enabled could potentially execute arbitrary code, gaining full system control.

Official References

- Microsoft Security Update Guide: CVE-2023-35367
- NVD Entry

Technical Details

The core of this vulnerability lies in how RRAS processes incoming Remote Access Network Protocol (RANP) messages. Improper input validation or buffer management in these routines can lead to buffer overflows or memory corruption, opening the door to code execution.

Some client versions if configured as VPN servers

Important: You are only at risk if RRAS (Routing and Remote Access) is running and listening for remote connections.

Proof-of-Concept (PoC) Overview

*Note: The code below is for educational purposes only. Do NOT use it without explicit, legal permission on your own lab systems.*

Crafting and sending a specially structured network message that exploits the buffer overflow.

Here’s a simplified, abstract code snippet simulating how an attacker might send a malformed packet (using Python and scapy) to an RRAS-enabled server:

from scapy.all import IP, TCP, send

# Target RRAS server (replace with your test server IP)
target_ip = "192.168.1.10"
target_port = 1723  # Common for PPTP
malicious_payload = b"A" * 400  # Overlong payload; value chosen to trigger buffer bug

pkt = IP(dst=target_ip) / TCP(dport=target_port) / malicious_payload

print(f"[*] Sending malicious packet to {target_ip}:{target_port}")
send(pkt, count=1)

This is NOT the actual full exploit, but demonstrates the kind of malformed input leading to RCE once the underlying RRAS parser mishandles it.

Stages of Exploitation

1. Reconnaissance: Attacker identifies a Windows server with RRAS enabled and exposed to the internet.

Exploit Packet: Sends the specially crafted packet (as above).

3. Code Execution: RRAS process overflows or corrupts memory, leading to attacker’s code running as ‘NT AUTHORITY\SYSTEM’.
4. Persistence/Escalation: Attacker can drop malware, establish reverse shells, or pivot within the network.

1. Apply Security Updates

Patch your systems immediately! Microsoft released official patches in June 2023. Find details and download links here:
- Microsoft Security Update Guide - June 2023

If you don’t require VPN or routing services, disable RRAS entirely

sc stop RemoteAccess
sc config RemoteAccess start= disabled

3. Firewall RRAS Ports

Restrict access to RRAS ports (e.g., TCP 1723 for PPTP) to trusted IPs only.

4. Monitor and Alert

Watch for unusual incoming traffic to RRAS ports.

5. Network Segmentation

Limit exposure of servers running RRAS, especially if internet-facing.

Real-World Impact

Because this bug enables remote SYSTEM-level code execution, unpatched servers are attractive targets. Internet-wide scans show hundreds of thousands of RRAS-enabled hosts. Systems running critical infrastructure, internal networks, or VPN servers are at special risk.

Final Thoughts

CVE-2023-35367 is dangerous but preventable. If you use RRAS, patch and lock down your services. Always block unnecessary exposure of routing/VPN functionality to the internet.

For further details or in-depth technical write-ups, check respected resources

- Microsoft Security Updates
- Huntress Labs summary
- SANS Internet Storm Center

Stay patched, stay safe!

*Author: Security Writeups Team, Last updated: 2024*

Timeline

Published on: 07/11/2023 18:15:00 UTC
Last modified on: 07/18/2023 14:06:00 UTC