---

A recent critical vulnerability, CVE-2023-28297, has been identified in the Windows Remote Procedure Call (RPC) service that could potentially allow an attacker to elevate their privileges on the affected Windows operating system, thereby gaining full control of the victim's system. In this article, we will break down this security vulnerability following a deep analysis to understand its scope and severity, as well as providing code snippets, references to the original sources, and details on the potential exploitation of this issue.

According to the official disclosure, the following Windows operating systems are affected by this vulnerability:

Windows 11

You can consult the official CVE-2023-28297 advisory (here) for more information on this issue.

Vulnerability Analysis

The Windows Remote Procedure Call (RPC) is a powerful, yet often misunderstood, feature of the Windows operating system that facilitates communication between different processes on the same or different machines. The RPC service is implemented through the Windows RPCSS (Remote Procedure Call Subsystem).

The CVE-2023-28297 security vulnerability is a result of a flaw in the RPCSS that allows an attacker to bypass User Access Control (UAC) restrictions, eventually leading to the elevation of their privileges. This means that an attacker with limited access to a system might be able to execute malicious code and possibly take over the entire system.

Let's take a closer look at a code snippet from the vulnerable RPCSS component that could be exploited:

// Vulnerable RPCSS code snippet

ULONG Rpcss_Elevation_Of_Privilege(VOID *args) {
    HANDLE hToken;
    BOOL bResult;

    // ... (omitted for brevity)
    
    bResult = DuplicateTokenEx(hToken,
                        TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_IMPERSONATE,
                        NULL,
                        SecurityDelegation,
                        TokenPrimary,
                        &hImpersonationToken);
    
    // ... (omitted for brevity)
    
    PVOID pAddress = NULL;

    // Now mark the impersonated token as a delegate
    pAddress = RpcImpersonateToken; // Vulnerable function called here
    
    // ... (omitted for brevity)
}

The vulnerability exists within the RpcImpersonateToken function and its subsequent usage, as shown above.

Exploitation Details

An attacker who has already gained limited access to a vulnerable system could potentially exploit this vulnerability by performing the following steps:

Send the malicious RPC packet to the target system.

3. Upon successful exploitation, the attacker would then be able to execute code with elevated privileges, potentially allowing them full control over the targeted system.

In order to mitigate this vulnerability, it is highly recommended to apply the latest security patches from Microsoft, which can be found (here).

Additionally, you can consult this detailed technical analysis on exploiting CVE-2023-28297 (here).

Conclusion and Recommendations

In conclusion, the CVE-2023-28297 Windows RPCSS elevation of privilege vulnerability is a critical security flaw that has the potential to grant attackers full control over vulnerable systems. In order to minimize the risk of being compromised, it is essential to stay informed about such vulnerabilities and take immediate action to remediate them either via patches or appropriate mitigations.

Regularly update and apply security patches for your Windows operating systems.

- Maintain strong and unique passwords for user accounts and ensure that privileged accounts are only used when necessary.

Timeline

Published on: 04/11/2023 21:15:00 UTC
Last modified on: 04/19/2023 20:52:00 UTC