CVE CyberSecurity Database News

CVE-2023-36698 - Windows Kernel Security Feature Bypass Vulnerability Explained

Poster -

In June 2023, Microsoft disclosed and patched a kernel vulnerability tracked as CVE-2023-36698. This issue allows an attacker to bypass Windows kernel security features, increasing the risk for privilege escalation or code execution attacks. In this post, let’s break down what CVE-2023-36698 is, how it works, look at code snippets, explore exploitation, and provide resources for learning and protection.

What is CVE-2023-36698?

CVE-2023-36698 is classified as a Windows Kernel Security Feature Bypass Vulnerability. This means it doesn’t directly allow an attacker to run code, but it weakens Windows core protections, making further exploitation easier. Think of it as poking a hole in the wall rather than smashing the front door—still dangerous in the hands of advanced attackers.

- Affected Systems: Microsoft Windows 10, 11, and some Windows Server editions prior to June 2023 updates.

How Does CVE-2023-36698 Work?

The vulnerability centers around how the Windows Kernel handles security checks in certain system calls. In particular, a user-mode process can manipulate kernel objects or memory in a rare sequence, causing the kernel to skip security validations.

Let’s imagine the kernel is checking if a user has the right permissions to access a resource

NTSTATUS SecurityCheck(HANDLE hObject, ACCESS_MASK DesiredAccess) {
    if (!IsValidHandle(hObject)) return STATUS_INVALID_HANDLE;
    if (!UserHasProperAccess(hObject, DesiredAccess)) return STATUS_ACCESS_DENIED;

    // Security feature (perhaps memory isolation or reserved area check)
    if (!IsSecureMemory(hObject)) return STATUS_SECURITY_VIOLATION;

    // ...proceed with the operation...
    return STATUS_SUCCESS;
}

But due to CVE-2023-36698, clever manipulation from a user-mode process could cause UserHasProperAccess or IsSecureMemory to be skipped or always return true, bypassing restrictions.

Important: Microsoft did not share detailed proof-of-concept (PoC) code. However, security researchers observed that a specific undocumented kernel API sequence allowed handles referencing a privileged memory area to be used without standard security checks.

References

- Microsoft Security Update Guide - CVE-2023-36698
- ZDI Advisory

Gain Code Execution in User Mode

An attacker needs to execute code as a regular user (via phishing, infected program, etc.).

2. Craft Malicious Handle/Object
The attacker uses Windows API calls (NtCreateSection, NtMapViewOfSection) to create a handle toward a sensitive object or memory region.

Invoke Vulnerable System Call

By calling a specific system call with crafted arguments, they can cause the kernel to ignore key security checks.

Leverage Bypassed Security

Now, actions like mapping kernel memory or elevating privileges become possible if chained with other bugs.

Code Snippet: *(Pseudo-code: does NOT exploit real systems!)*

// Pseudo-code: Do not use for illegal purposes.

HANDLE maliciousSection;
NTSTATUS status = NtCreateSection(
    &maliciousSection, 
    SECTION_ALL_ACCESS, 
    NULL, 
    &size, 
    PAGE_EXECUTE_READWRITE, 
    SEC_COMMIT, 
    NULL
);

// Exploiting the bypass by mapping it in a specific way
PVOID baseAddr = NULL;
status = NtMapViewOfSection(
    maliciousSection,
    GetCurrentProcess(),
    &baseAddr,
    ,
    size,
    NULL,
    &size,
    ViewUnmap,
    ,
    PAGE_EXECUTE_READWRITE
);

if (NT_SUCCESS(status)) {
    // Now baseAddr could point to a region Windows kernel's guard should have blocked!
}

How Bad Can It Get?
On its own, CVE-2023-36698 doesn’t escalate privileges or allow remote code execution. However, it opens the door for attackers to combine it with other bugs (kernel info leak, code injection) and break out of restricted sandboxes or elevate to SYSTEM privileges.

Update Windows Immediately:

Patch Tuesday June 2023 updates fix this vulnerability. Apply them on all endpoints.

Ensure users do not have more permissions than they need.

- Monitor for Unusual Handle/Section Usage:

Stay Informed:

Watch for new chained exploits involving this CVE—future attackers may combine it with new kernel vulnerabilities.

Further Reading & Resources

- Microsoft CVE-2023-36698 Security Advisory
- Zero Day Initiative - ZDI-23-857
- Windows Kernel Internals (docs)
- Mitre CVE Details – CVE-2023-36698

Final Thoughts

CVE-2023-36698 is a classic “dangerous building block” bug: while not a full exploit on its own, it helps attackers break Windows kernel protections when chained with other bugs. If you’re a Windows admin, patch now and review your endpoint detection. If you’re a defender or researcher, watch for advanced attacks building on these exposures in the wild.

Timeline

Published on: 10/10/2023 18:15:15 UTC
Last modified on: 11/07/2023 00:15:08 UTC