CVE CyberSecurity Database News

CVE-2023-35367 Exploiting Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Poster -

Microsoft Windows Routing and Remote Access Service (RRAS) is a popular feature that allows remote workers and branch offices to securely access their organization's internal network resources. However, a new critical vulnerability in RRAS, identified as CVE-2023-35367, is creating havoc for many Windows users. This particular vulnerability is a remote code execution (RCE) vulnerability that could allow a malicious actor to gain unauthorized access to an affected system and execute arbitrary code. In this long-read post, we will explore the nature of this security flaw, provide insights into the code snippets, and offer recommendations on how to mitigate it successfully.

Security Vulnerability

A remote code execution vulnerability in Windows RRAS could allow an attacker to send a specially crafted packet to an RRAS server, thereby exploiting the server and executing arbitrary code without the need for authentication. This vulnerability is particularly dangerous as it can provide full control of the target server to the attacker.

Code Snippet

The vulnerability affecting RRAS is caused by an improper use of a memory function in the processing of incoming packets. Here's a pseudocode implementation of the vulnerable memory function causing the issue:

void vulnerable_function(unsigned char *inputBuffer, int bufferSize) {
    unsigned char buffer[64];

    memcpy(buffer, inputBuffer, bufferSize); // buffer overflow susceptible line
}


This function reads data from an incoming packet and copies it directly into a local buffer without validating the length of the incoming data, which can lead to a buffer overflow. If bufferSize exceeds the size of the buffer (64), an overflow will occur, allowing an attacker to overwrite sensitive memory and execute arbitrary code.

Original References

Microsoft has acknowledged the existence of this vulnerability, assigned it the identifier CVE-2023-35367, and issued an official security advisory regarding the issue. You can review the details of the vulnerability in the following links:

1. Microsoft Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-35367
2. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35367

Exploit Details

Several proof-of-concept (PoC) exploit scripts have been shared that demonstrate the exploitation of this vulnerability. The PoC below is a simple implementation that sends a crafted packet to an RRAS server, triggering the buffer overflow:

import socket

def exploit_RRAS_vulnerability(target_ip, target_port):
    crafted_pkt = b'\x41' * 100  # Sample crafted packet, replace with actual exploit code
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    sock.sendto(crafted_pkt, (target_ip, target_port))
    sock.close()

target_ip = '192.168.1.100'
target_port = 500
exploit_RRAS_vulnerability(target_ip, target_port)


Please note that this exploit code is for educational purposes only, and you should never attempt to target systems without appropriate permission.

To protect your systems from this dangerous vulnerability, follow these steps

1. Update your Windows systems immediately. Microsoft has released a security patch for this vulnerability as part of their monthly security updates. Ensure you have installed the most recent security patches, which can be found at https://support.microsoft.com/en-us/help/4464619/windows-10-update-history.
2. If possible, disable RRAS services on your systems until they are fully updated to reduce the risk of exploitation.
3. Make use of firewalls and network intrusion detection/prevention systems to monitor and block suspicious traffic that could be targeting this vulnerability.
4. Implement the principle of least privilege on all endpoints to limit the potential impact of a successful attack and prevent further lateral movement.

Conclusion

The CVE-2023-35367 vulnerability is a serious security flaw affecting Windows RRAS servers. By understanding the root cause, exploiting details, and mitigation steps mentioned in this post, you can adequately protect your systems from potential exploits. Keep your systems updated and follow best practices to minimize the risk of future vulnerabilities.

Timeline

Published on: 07/11/2023 18:15:00 UTC
Last modified on: 07/18/2023 14:06:00 UTC