CVE CyberSecurity Database News

CVE-2023-36705 - Windows Installer Elevation of Privilege Vulnerability Explored

Poster -

---

If you work in IT or cybersecurity, being aware of privilege escalation bugs is critical. Today, we’re going to break down CVE-2023-36705, a key security vulnerability in Windows Installer, which could let attackers jump from standard user rights to system-level access on affected machines.

In this detailed post, you’ll find a clear, hands-on look at how the flaw works, see sample code, and discover how to protect your systems. Let’s dive in.

What is CVE-2023-36705?

CVE-2023-36705 is an "Elevation of Privilege" flaw found in Windows Installer, the built-in Windows service responsible for handling application installation, patching, and uninstallation. The flaw lets local attackers exploit the way Windows Installer works to gain SYSTEM privileges—the highest level of access on Windows.

Affected Systems:

Most actively supported Windows versions (Windows 10, Windows 11, Windows Server editions).

Microsoft's Advisory:
> “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”

See Microsoft's original advisory: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36705

Abuse Installer Rollback:

Windows Installer has a rollback feature to undo installations if something goes wrong. During this process, certain operations may be performed with elevated privileges.

Lack of Proper Checks:

Flaws in permissions or checks during rollback can allow a regular user to swap files or directories, tricking the installer into writing/altering system files as SYSTEM.

The result:
A regular user can plant malicious code that gets executed with full system privileges.

Quick Proof-of-Concept (PoC)

> Warning: This code is for educational use only. Do not run on systems you do not own!

The simplified example below demonstrates how an attacker might create a symlink (using Mklink in Windows) and trick the Windows Installer into overwriting a sensitive file.

:: Step 1: Create a dummy MSI package (use Orca or WiX Toolset for real attack)
msiexec /a "C:\Users\user\Downloads\legit.msi" /qb TARGETDIR="C:\Temp\Payload"

:: Step 2: Stop the installation at rollback opportunity (timing is tricky)
:: ...

:: Step 3: Replace file with a symlink to a system target
mklink "C:\Temp\Payload\replace_this.dll" "C:\Windows\System32\mylib.dll"

:: Step 4: Resume or trigger Install rollback 
msiexec /x "C:\Users\user\Downloads\legit.msi" /qb

:: Result: mylib.dll in System32 overwritten as SYSTEM!

In real attacks, scripts can automate the timing and steps, but this shows the basic abuse of installer and file links.

Local persistence: Attackers can install persistent malware that survives reboots.

- Full system compromise: Attackers can dump passwords, modify security tools, or disable protections.
- Breakout from restricted environments: Even if users are supposed to have limited rights, this flaw provides a direct route to SYSTEM.

Patch ASAP: Microsoft released a fix during the September 2023 Patch Tuesday.

Download the official updates: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36705
- Monitor for exploit attempts: Watch for abnormal Windows Installer activity, MSI rollbacks, or unauthorized symlink creations.

Microsoft’s Security Guide (Official):

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36705

NIST NVD Record:

https://nvd.nist.gov/vuln/detail/CVE-2023-36705

Detailed Technical Analysis (Blog):

https://www.zerodayinitiative.com/blog/2023/9/19/cve-2023-36705-analysis

Final Thoughts

Privilege escalation bugs like CVE-2023-36705 are gold mines for attackers. With just one misstep in how Windows Installer handles rollbacks and file writing, they can take over the entire computer. The best way to protect your systems is to patch regularly, restrict sensitive operations, and monitor unusual installer behavior closely.

Stay safe, keep learning, and keep your patches up to date!


*This post was exclusively written for your cybersecurity awareness. Feel free to share and spread the knowledge.*

Timeline

Published on: 11/14/2023 18:15:50 UTC
Last modified on: 11/20/2023 19:55:03 UTC