CVE-2023-36394 - Breaking Down the Windows Search Service Elevation of Privilege Vulnerability

In June 2023, Microsoft disclosed CVE-2023-36394, a serious Elevation of Privilege (EoP) vulnerability in the Windows Search Service. This vulnerability doesn’t grab headlines like remote code execution bugs, but in the right hands, it can mean full control over a Windows system. This long-read breaks down what CVE-2023-36394 is, how it works, shows some relevant code snippets, and why patching matters.

What Is CVE-2023-36394?

At its heart, CVE-2023-36394 is a flaw in the Windows Search Service—a system service used by millions to index files and allow quick searches on Windows. The issue allows a local attacker to gain elevated privileges, essentially turning a regular user into a system administrator.

Microsoft ranked this vulnerability as Important with a base CVSS score of 7.8.

How the Vulnerability Works (In Simple Words)

The Windows Search Service runs under SYSTEM privilege and interacts with files and folders owned by users. If the permissions on some resources are not set properly, or if the service trusts user-controlled input in the wrong way, this opens the door for an attacker.

A local user can trick the Search Service into running code with higher privileges.

- This is usually achieved by exploiting writable file/folder permissions, symlinks (symbolic links), or manipulating search index files.

A Practical Example

Let’s say the service blindly tries to read from or write to a directory the user controls, or follows a symlink placed by the attacker to a sensitive file. In such cases, the attacker can escalate their rights.

Proof-of-Concept Snippet

While there are no official public exploits at the time of this writing (and for ethical/legal reasons, we won’t provide an actual working exploit), here’s an abstract code snippet that demonstrates the pattern of a symbolic link attack, often used for these vulnerabilities:

import os
import sys

# Location controlled by attacker
user_controlled = r"C:\Users\attacker\AppData\Local\Temp\victim-folder"
target_file = r"C:\Windows\System32\drivers\etc\hosts"  # A sensitive file

# Clean any previous attempt
if os.path.exists(user_controlled):
    os.rmdir(user_controlled)

# Create a directory junction (symlink) to the hosts file
os.system(f'mklink /D "{user_controlled}" "{target_file}"')

print("Symlink created. When Windows Search Service accesses this folder, it will touch the system file!")

Note: This is for educational purposes only—not a working exploit, but shows the simple mechanics attackers use.

User gains access to a PC, even as a standard user.

2. User finds/create a folder or file that the Windows Search Service interacts with and is writable.

User replaces it with a symlink that points to a protected file or folder (like SYSTEM files).

4. If the Search Service acts on the resource with SYSTEM privileges, it could overwrite, change permissions, or otherwise compromise the file.

Local only: Can’t be exploited remotely.

- Low complexity: Just needs access to the machine and software/tools to create symlinks or edit permissions.

Impact: SYSTEM privilege escalation.

- Exploit code: As of June 2024, no known public Metasploit modules or GitHub PoCs, but it’s technically simple for attackers.

Official Patch

Microsoft addressed this in the June 2023 Patch Tuesday. The update improves how the Search Service checks permissions and sanitizes access.

Patch Your Systems:
To fix, install June 2023 or later Windows updates.

# Simple way to check and install available Windows Updates
Install-Module PSWindowsUpdate
Get-WindowsUpdate
Install-WindowsUpdate

Restrict local user access to Search Service folders (hard, not practical everywhere).

- Use endpoint security tools to monitor for creation of suspicious symlinks or abnormal SearchIndexer.exe activity.

References

- Microsoft Advisory: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36394
- NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2023-36394
- Information on Windows Search Service: Microsoft Docs

Closing Thoughts

Elevation of Privilege bugs like CVE-2023-36394 are often overlooked, but they're goldmines for attackers with local access or malware seeking persistence. If you’re a sysadmin or power user, apply Microsoft’s latest updates—don’t wait until someone uses tricks like these to become the admin on your systems.

Timeline

Published on: 11/14/2023 18:15:38 UTC
Last modified on: 11/20/2023 18:06:52 UTC