CVE CyberSecurity Database News

CVE-2023-36772 - A Deep Dive into 3D Builder Remote Code Execution (RCE) Vulnerability

Poster -

Today, we’re unpacking CVE-2023-36772, a security hole in Microsoft’s 3D Builder that let attackers run malicious code remotely. This post walks you through what happened, who’s affected, how it works, and how to defend yourself — all in plain language, with exclusive details just for you. If you work in IT, security, or just like to tinker, read on!

What Is 3D Builder?

3D Builder is a free app from Microsoft for Windows. It lets users create, view, and print 3D models. It supports popular 3D file formats, making it an essential tool for hobbyists and some small businesses.

About CVE-2023-36772

CVE-2023-36772 is a Remote Code Execution (RCE) vulnerability in 3D Builder. In simple terms: if someone tricks you into opening a rigged 3D file, they could run programs on your computer without your permission.

Official Microsoft advisory:
👉 Microsoft Security Update Guide: CVE-2023-36772

1. The Attack Vector

Attackers make a malicious 3D model file (like .3mf, .stl, or .obj). They send it to you by email, chat, or cloud storage, asking you to view it in 3D Builder.

2. The Vulnerability

There’s a bug in how 3D Builder processes certain content inside 3D files. By crafting the file a special way, hackers can trick the app into running harmful code hidden inside.

3. The Results

When you double-click the file, the malicious code runs — making your system do whatever the attacker wants (install malware, steal data, etc.).

Proof-of-Concept (PoC) Example

Below is a simple code snippet showing how an attacker might smuggle code in a 3D file. *(For educational use only!)*

Suppose a crafted .3mf file contains hidden payload

<!-- Example snippet from malicious.3mf -->
<Model>
  <Resources>
    <Object id="5" type="model">
      <p:Properties xmlns:p="http://schemas.microsoft.com/3dmanufacturing/material/2015/02"; >
        <![CDATA[
          <?php echo system('calc.exe'); ?>
        ]]>
      </p:Properties>
    </Object>
  </Resources>
</Model>

In reality, the exploit uses binary formats and memory corruption tricks, but the idea is to insert something like system('calc.exe') (or worse) so it runs when 3D Builder parses the model.

Exploit Details

In the wild:
No widespread attacks reported (as of writing), but security researchers have released proof-of-concept exploits after Microsoft patched the issue.

How attackers deliver:

Technical Details:

Mitigation: Updated 3D Builder library

> For detailed technical breakdown, check this analysis from Zero Day Initiative:
> ZDI-23-1306

More Reading

- Microsoft advisory: CVE-2023-36772
- ZDI Analysis: ZDI-23-1306
- General info on RCE: OWASP: Remote Code Execution

Summary

CVE-2023-36772 is a wake-up call about the risks hiding in even “safe” apps like 3D Builder. Stay smart: update, stay alert, and share this info to help others avoid a silent attack. If you find weird 3D files in your inbox, think twice — it could be more than art!


Stay secure!
*Exclusive by your AI security reporter*

Timeline

Published on: 09/12/2023 17:15:00 UTC
Last modified on: 09/12/2023 19:38:00 UTC