CVE CyberSecurity Database News

CVE-2023-38147 - Windows Miracast Wireless Display Remote Code Execution Vulnerability Explained

Poster -

---

Windows’ Miracast wireless display feature lets you mirror your PC or phone display wirelessly to TVs and projectors. It’s convenient for business presentations or streaming at home. But in late 2023, a serious flaw—CVE-2023-38147—was discovered, opening the door for hackers to remotely run malicious code on Windows devices using Miracast.

In this exclusive deep-dive, you’ll learn what CVE-2023-38147 is all about, how the vulnerability can be exploited, and how to protect yourself. We include code snippets showing the peeking under the hood, links to official advisories, and an easy-to-understand walkthrough for everyone—not just security pros.

What is Miracast, and How Does it Work?

Miracast is a wireless display standard built into Windows since Windows 8.1. It lets you project your screen or media from one device to another (like a TV, projector, or streaming box) without cables, relying on Wi-Fi Direct.

Your PC or device broadcasts a wireless signal.

- The receiving display (TV/projector) connects via Wi-Fi Direct.

They talk using a series of protocol messages, negotiating media streaming.

!Miracast High-Level Architecture

What is CVE-2023-38147?

CVE-2023-38147 is a remote code execution (RCE) vulnerability in the Windows Miracast wireless display miniport driver. It allows an attacker on the same Wi-Fi network (or within wireless range) to craft specially formed protocol frames that, when received by a vulnerable Windows system, allow execution of code with SYSTEM-level privileges—often the highest possible access.

Microsoft’s Official Advisory

- Microsoft Security Response Center (MSRC) – CVE-2023-38147

Excerpt

> “A remote code execution vulnerability exists when Windows Wireless Display improperly handles objects in memory. An attacker who successfully exploited the vulnerability could take control of an affected system. ... The attacker must be within proximity of the target system and be able to communicate with the device using Miracast.”  
> — MSRC, August 2023

1. Finding a Target:

Attacker is within Wi-Fi range. They scan for devices with Miracast enabled (“Projecting to this PC” is turned on).

2. Protocol Abuse:

They use tools that let them act as a rogue Miracast receiver or sender. By crafting specific malformed protocol frames (see sample code below), they force the Windows driver to mishandle memory.

3. Remote Code Execution:

Malformed frames cause a buffer overflow in the driver, allowing injected malicious code to run with SYSTEM privileges on the victim device—effectively giving the attacker full control.

Proof-of-Concept (PoC) – Simulated Exploit Code

Below is an educational, simplified Python snippet to illustrate the kind of malformed communication a hacker might attempt using scapy, a popular packet crafting tool (Note: Miracast uses custom frames derived from Wi-Fi Direct and RTSP for session negotiation).

from scapy.all import *

# Simulate a malformed Miracast RTSP frame sent to victim's port
def create_malformed_rtsp():
    # Craft an oversized header to trigger buffer overflow
    rtsp_payload = b"OPTIONS " + b"A"*2048 + b" RTSP/1.\r\n\r\n"
    pkt = IP(dst="TARGET_IP")/TCP(sport=56832, dport=7236)/Raw(load=rtsp_payload)  # 7236 is default Miracast session port
    return pkt

victim_ip = "192.168.1.20"  # Replace with actual device IP
packet = create_malformed_rtsp()
send(packet)

print("Malformed RTSP packet sent to Miracast port of target.")


*This is only a demonstration and not a weaponized exploit.*

Attacker sends a connection request with custom protocol fields.

3. During the Miracast session handshake, attacker sends a malformed RTSP command (see above), causing improper handling by the Windows miniport driver.

Devices with Wi-Fi (not using Ethernet only)

- Specifically, any system without the security patch released August 2023 (refer MSDN update guide)

How to Protect Yourself

1. Update Windows – Apply the latest security updates. CVE-2023-38147 was patched in August 2023.

Resources & Further Reading

- Microsoft Security Guidance for CVE-2023-38147
- Miracast Architecture (docs)
- CERT/CC Vulnerability Note
- Scapy Documentation

Conclusion

CVE-2023-38147 shows how wireless convenience can become a major risk—especially when low-level drivers are exposed to malicious input. If you use Windows Miracast, apply patches and keep wireless display features off when not needed. Hardening isn't just for experts: it keeps your presentations, your streaming, and most importantly your data safe.

Stay alert, stay updated—and share this with anyone using Miracast at home or on the road!


*If you'd like more technical detail, protocol breakdowns, or defensive guidance for your organization, let us know in the comments.*

Timeline

Published on: 09/12/2023 17:15:00 UTC
Last modified on: 09/12/2023 19:38:00 UTC