Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-36884 PoC — Windows Search Remote Code Execution Vulnerability

Source
https://github.com/tarraschk/CVE-2023-36884-Checker
Associated Vulnerability
Title:Windows Search Remote Code Execution Vulnerability (CVE-2023-36884)
Description:Windows Search Remote Code Execution Vulnerability
Description
Script to check for CVE-2023-36884 hardening
Readme
# CVE-2023-36884-Checker

Script to check for CVE-2023-36884 hardening https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884

## Goal

This scripts checks if Microsoft hardening recommendations are properly applied.

Microsoft says https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884 that:
```
Add the following application names to this registry key as values of type REG_DWORD with data 1.:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION

    Excel.exe
    Graph.exe
    MSAccess.exe
    MSPub.exe
    Powerpnt.exe
    Visio.exe
    WinProj.exe
    WinWord.exe
    Wordpad.exe
```

### How to use

Simply execute the `cve-2023-36884-checker.ps1` code and you will see the results as shown below.

To run the script once downloaded:

```
powershell -ExecutionPolicy Bypass .\cve-2023-36884-checker.ps1
```

/!\ This script does NOT require admin rights /!\

Note : you can also use this excellent script which has more options if needed https://github.com/myusefulrepo/Tips/blob/master/CVE-2023-36884-Check%26Mitigation.ps1 (thanks to Olivier @Rapidhands)

### Apply or remove mitigations for CVE-2023-36884

You can also execute `mitigate-cve-2023-36884.ps1` to apply mitigations provided by Microsoft, or `remove-mitigations-cve-2023-36884.ps1` to remove those mitigations if needed later.

```
# To apply mitigations
powershell -ExecutionPolicy Bypass .\mitigate-cve-2023-36884.ps1
# To remove mitigations
powershell -ExecutionPolicy Bypass .\remove-mitigations-cve-2023-36884.ps1
```

/!\ These scripts REQUIRE admin rights /!\

Please note that these scripts change your registry values and thus might break your system. If so, that's your own responsibility.

## Results of the CVE-2023-36884 checker

Here are some examples of the results when running `cve-2023-36884-checker.ps1`.

### If mitigation is totally enforced
```
DEBUG:OK, Excel.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, Graph.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, MSAccess.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, MSPub.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, PowerPnt.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, Visio.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, WinProj.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, WinWord.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, Wordpad.exe has CVE-2023-36884 mitigation enabled
META:hardening-CVE-2023-36884|OK
```

### If mitigation is not enforced at all

```
DEBUG:KO, Excel.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, Graph.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, MSAccess.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, MSPub.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, PowerPnt.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, Visio.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, WinProj.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, WinWord.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, Wordpad.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
META:hardening-CVE-2023-36884|KO
```

### If mitigation is partially enforced

```
DEBUG:KO, Excel.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, Graph.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, MSAccess.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, MSPub.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, PowerPnt.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, Visio.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, WinProj.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:OK, WinWord.exe has CVE-2023-36884 mitigation enabled
DEBUG:KO, Wordpad.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
META:hardening-CVE-2023-36884|KO
```

## License

MIT
File Snapshot

 [4.0K]  /data/pocs/24bc01750e2f7b1902e4c79a57791579a1eb5bd4
├── [1.2K]  cve-2023-36884-checker.ps1
├── [1.0K]  LICENSE
├── [ 861]  mitigate-cve-2023-36884.ps1
├── [4.1K]  README.md
└── [ 714]  remove-mitigations-cve-2023-36884.ps1

0 directories, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →