CVE-2023-36568 - Inside the Microsoft Office Click-To-Run Elevation of Privilege Vulnerability

Microsoft Office is almost everywhere—at homes, offices, and even classrooms. But sometimes even the most trusted tools can have serious issues, like CVE-2023-36568. This vulnerability lets attackers gain higher privileges through the Office Click-To-Run service. In other words: if you're not patching your system, someone could use Office against you.

Let’s break it all down: what this bug is, how it works, how attackers might use it, and what you should do to stay safe.

What Is CVE-2023-36568?

CVE-2023-36568 is an elevation of privilege vulnerability found in Microsoft Office Click-To-Run Service. This service is responsible for installing and updating Office applications seamlessly, using a background service called ClickToRunSvc.

Because this service runs as SYSTEM (the most powerful account in Windows), if an attacker can trick the service or abuse its permissions, they might upgrade themselves from a normal user to SYSTEM. That’s bad news.

Official Reference

- Microsoft Security Advisory for CVE-2023-36568
- NVD CVE Entry

Vulnerability Details

The vulnerability allows a local, low-privileged attacker to execute code as SYSTEM by abusing the Click-To-Run service. Here’s the simplified version how:

Technical Breakdown

The core issue revolves around improper handling of file/folder permissions and process control. Specifically, the service may interact with resources that low-privilege users can change, such as directories or files, or accept parameters (like paths) it shouldn’t trust.

For example: if the service launches an update component and looks for it in a folder that a user can write to, the user can plant a malicious file there.

The Common method of exploiting such vulnerability

# Assume the service loads files from C:\Temp, which user can write to
# User plants a malicious DLL or EXE

Copy-Item .\evil.exe C:\Temp\legit.exe

# Trigger ClickToRunSvc to execute or pick up the payload
# This could be a scheduled update or forced update via some command

Or through setting up DACLs (permissions)

# Grant full control of service directory to everyone (bad practice)
icacls "C:\Program Files\Microsoft Office\root\ClickToRun" /grant Everyone:F

Of course, actual exploit code is more complex and specific to Click-To-Run service internals, but these types of permission misconfigurations are at the heart of the issue.

Exploit Scenario

Scenario: A regular user on a shared workstation wants SYSTEM privileges (for example, to dump passwords, disable security tools, or maintain persistence).

They find a writable path or parameter the Click-To-Run service uses.

3. They plant a file or tweak something so when the service runs as SYSTEM, it executes attacker’s code.

The exploit succeeds, and now the attacker has complete control over the machine.

This technique is common in privilege escalation: look for trusted services that insecurely load files or libraries, or that can be forced to execute attacker code.

Microsoft’s Fix

Microsoft patched this bug by correcting permissions and path handling. Now, Click-To-Run properly validates inputs and ensures only admins/service itself can write to critical directories.

Ensure non-admin users cannot write to sensitive folders.

> Tip: Use Microsoft Update Guide to find and download the right patch for your setup.

Proof-of-Concept (PoC)

While Microsoft and responsible researchers do not release weaponized code, you can test your system for weak permission settings.

Check if you can write to Click-To-Run folders

Test-Path "C:\Program Files\Microsoft Office\root\ClickToRun"
# Try to create a file:
New-Item -Path "C:\Program Files\Microsoft Office\root\ClickToRun\test.txt" -ItemType File

If this succeeds as a regular user, your system is potentially vulnerable and needs patching.

Conclusion

CVE-2023-36568 is a good reminder that even trusted Microsoft components can offer attackers a way in if not treated carefully. If you manage computers—at home or work—make sure Office is updated.

Timeline

Published on: 10/10/2023 18:15:13 UTC
Last modified on: 10/13/2023 15:10:58 UTC