CVE-2023-36568: Microsoft Office Click-To-Run Elevation of Privilege Vulnerability - An In-Depth Analysis & Exploitation Guide

In recent times, Microsoft Office has been targeted by numerous security attacks mainly due to its widespread usage and the fact that it handles a lot of sensitive data. One such vulnerability is the Microsoft Office Click-To-Run Elevation of Privilege vulnerability, which has been assigned the CVE number CVE-2023-36568. In this post, we will walk you through a complete analysis of this vulnerability, including sample code snippets, links to original references, and detailed exploit material to help you understand and potentially mitigate this issue in your systems.

Vulnerability Overview

CVE-2023-36568 is an Elevation of Privilege (EoP) vulnerability that exists in the Microsoft Office Click-To-Run (CTR) installer. The vulnerability allows a local attacker to execute arbitrary code and gain escalated privileges on the affected system. The issue occurs when the Office CTR installer improperly handles symbolic links. An attacker can exploit this vulnerability to elevate their privileges, obtain system administrator rights, and potentially gain control of the compromised system.

Affected Versions

The vulnerability impacts Microsoft Office 2019, Microsoft Office 365, and Microsoft Office versions with Click-To-Run installed.

References

Before diving into the details of this vulnerability, it is crucial to explore some official resources from Microsoft and other trusted organizations that provide initial insights and documentation about CVE-2023-36568. Here, we list some of the most relevant sources:

1. Microsoft Security Response Center's official advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36568
2. MITRE.org's CVE listing: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36568
3. US National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2023-36568

Sample Code Snippet

The following code snippet demonstrates how to leverage the vulnerability in Office CTR by creating a symbolic link that points to a protected system resource:

import os
import sys

TARGET_FILE = "C:\path\to\protected\system\resource"
SYMLINK_FILE = "C:\path\to\symlink\location"

# Create the malicious symbolic link
def create_symlink(target_file, symlink_file):
    os.system(f'mklink /H "{symlink_file}" "{target_file}"')

if __name__ == "__main__":
    create_symlink(TARGET_FILE, SYMLINK_FILE)

This sample script creates a hard symbolic link that points from the SYMLINK_FILE path to the TARGET_FILE path, the latter of which should be a protected system resource that the attacker wants to gain write access to. Keep in mind that this snippet does not showcase the full exploit but is provided for educational purposes.

To exploit CVE-2023-36568, an attacker must perform the following steps

1. Gain access to a local account on the target system. This can be done through various means, such as phishing attacks, malware infections, or other software vulnerabilities.

2. Create a malicious symbolic link pointing to a protected system resource, similar to the code snippet provided above. This symbolic link must be placed in a location where the Office CTR installer expects to create or update files when installing or updating Office components.

3. Wait for the victim user to install or update Office using Click-To-Run. The installer will follow the malicious symbolic link and overwrite the protected system resource with installer data, ultimately causing an Elevation of Privileges.

Mitigations

Microsoft has released patches that address CVE-2023-36568 for the affected versions of Office. The company has also provided mitigation guidance, which suggests running the Office Click-To-Run installer with the least-privileged user accounts and ensuring that all privileged user accounts have their permissions reduced to the minimum required for their roles.

Conclusion

CVE-2023-36568 is a critical vulnerability that highlights the importance of proper access controls and update mechanisms in software applications. By exploiting this vulnerability, malicious actors can gain escalated privileges and potentially compromise an entire system. Therefore, it is essential to apply the available patches, follow Microsoft's mitigation guidance, and stay informed about relevant threats and vulnerabilities.

Keep in mind that this post is meant to provide an overview and analysis of CVE-2023-36568 and should not be taken as an exhaustive guide on how to exploit or mitigate the vulnerability. As always, exercise caution when dealing with security vulnerabilities and ensure that your systems are adequately protected.

Timeline

Published on: 10/10/2023 18:15:13 UTC
Last modified on: 10/13/2023 15:10:58 UTC