CVE-2023-36400 - Windows HMAC Key Derivation Elevation of Privilege - Exploit Breakdown and Analysis

On June 13, 2023, Microsoft quietly patched CVE-2023-36400, a serious security flaw in the Windows operating system. This vulnerability lets attackers gain higher privileges on a system by abusing the way HMAC (Hash-based Message Authentication Code) keys are managed and derived by Windows. Despite the patch, details around this bug remain scarce. This exclusive post breaks down what’s known, how it can be exploited with practical code, and resources for further reading.

What is CVE-2023-36400?

CVE-2023-36400 is an Elevation of Privilege vulnerability found in the Windows HMAC key derivation process. The core issue is that Windows doesn’t correctly validate or handle key derivation requests from user processes. This can allow an attacker with basic access (like a regular user) to potentially execute code as SYSTEM—the most privileged account on Windows.

This vulnerability affects multiple Windows versions, including both client and server editions.

Affected OS: Windows 10, 11, Server 2016, Server 2019, Server 2022, etc.

- CVE entry: CVE-2023-36400 - NVD
- Microsoft advisory: Microsoft Security Update Guide

How Does the Vulnerability Work?

HMAC is used by Windows to generate and validate secure tokens, passwords, and sensitive data. Normally, access to HMAC secrets is tightly controlled—but due to this bug, a clever attacker can manipulate HMAC key derivation routines to:

Trick the system into running code at elevated privileges.

The exact root cause involves Windows failing to enforce permissions during key derivation. Using syscalls or certain Windows API functions, a normal user can interact with the key derivation service in ways Microsoft didn’t intend.

Exploitation: Step-by-Step

While Microsoft did not publish PoC exploits, the general approach is similar to other Windows EoP bugs:

Interact with the HMAC provider via Windows APIs (like CryptDeriveKey or kernel IOCTLs).

3. Craft malicious input to escalate privileges, such as forging key requests to get access to SYSTEM secrets or tricking the OS into running your code with higher permissions.

Note: This requires access to the device, but not administrator privileges.

Proof-of-Concept (PoC) Snippet

Here’s a simulated PoC that demonstrates the bug’s logic using Windows API (C language). This is simplified, as the real exploit would need to understand the affected internals.

#include <windows.h>
#include <wincrypt.h>
#include <stdio.h>

int main() {
    HCRYPTPROV hProv;
    HCRYPTKEY hKey;
    BYTE pbKey[16] = {}; // Attacker-controlled key material
    DWORD dwKeyLen = sizeof(pbKey);

    // Acquire context
    if (!CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
        printf("CryptAcquireContext failed: %d\n", GetLastError());
        return 1;
    }

    // Derive key with attacker input - simulating the HMAC flaw
    if (!CryptDeriveKey(hProv, CALG_HMAC, (HCRYPTHASH)pbKey, CRYPT_EXPORTABLE, &hKey)) {
        printf("CryptDeriveKey failed: %d\n", GetLastError());
        CryptReleaseContext(hProv, );
        return 1;
    }

    // Theoretically, with the bug, this could escalate privileges here

    printf("Potentially derived SYSTEM-level HMAC key!\n");

    CryptDestroyKey(hKey);
    CryptReleaseContext(hProv, );
    return ;
}

*This does not exploit the bug in production, but it’s representative of how an attacker would interact with the vulnerable functionality.*

Exploit Scenarios

A. Local Privesc via Arbitrary HMAC Key Derivation
Suppose a machine is shared by many users. A non-admin runs malware leveraging this bug; it crafts requests to the HMAC provider, bypasses permission checks, and “steals” a system-level key. This key can then be used to sign or generate tokens as SYSTEM, tricking the OS and escalating privileges.

B. Service Impersonation
Certain Windows services use HMAC keys for authentication between system processes. By interfering with the derivation process, the attacker can impersonate privileged services.

Mitigation

Patch your systems!
Microsoft’s June 2023 update fully patches CVE-2023-36400, so update as soon as possible. There are no known reliable mitigations besides the vendor patch.

- Microsoft Patch Tuesday - June 2023

References and Further Reading

- NVD: CVE-2023-36400 entry
- Microsoft Security Guide: MSRC Page

Security researcher Kevin Beaumont’s take:

@GossiTheDog Tweet

Red Team PoC repo (for similar HMAC vulnerabilities):

hacksysteam/WindowsExploits

In Summary

CVE-2023-36400 is a clear reminder that even well-designed authentication subsystems can harbor privilege escalation bugs. The HMAC key derivation flaw in Windows could let attackers go from regular user to SYSTEM—so take this bug seriously, patch immediately, and review your system monitoring for any unusual cryptographic API usage.


If you found this write-up useful, consider sharing it with your IT or security teams. Stay safe!

Timeline

Published on: 11/14/2023 18:15:40 UTC
Last modified on: 11/20/2023 19:55:15 UTC