Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2023-36884 PoC — Windows Search Remote Code Execution Vulnerability

Source
https://github.com/tarraschk/CVE-2023-36884-Checker
Associated Vulnerability
Title:Windows Search Remote Code Execution Vulnerability (CVE-2023-36884)
Description:Windows Search Remote Code Execution Vulnerability
Description
Script to check for CVE-2023-36884 hardening
Readme
# CVE-2023-36884-Checker

Script to check for CVE-2023-36884 hardening https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884

## Goal

This scripts checks if Microsoft hardening recommendations are properly applied.

Microsoft says https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884 that:
```
Add the following application names to this registry key as values of type REG_DWORD with data 1.:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION

    Excel.exe
    Graph.exe
    MSAccess.exe
    MSPub.exe
    Powerpnt.exe
    Visio.exe
    WinProj.exe
    WinWord.exe
    Wordpad.exe
```

### How to use

Simply execute the `cve-2023-36884-checker.ps1` code and you will see the results as shown below.

To run the script once downloaded:

```
powershell -ExecutionPolicy Bypass .\cve-2023-36884-checker.ps1
```

/!\ This script does NOT require admin rights /!\

Note : you can also use this excellent script which has more options if needed https://github.com/myusefulrepo/Tips/blob/master/CVE-2023-36884-Check%26Mitigation.ps1 (thanks to Olivier @Rapidhands)

### Apply or remove mitigations for CVE-2023-36884

You can also execute `mitigate-cve-2023-36884.ps1` to apply mitigations provided by Microsoft, or `remove-mitigations-cve-2023-36884.ps1` to remove those mitigations if needed later.

```
# To apply mitigations
powershell -ExecutionPolicy Bypass .\mitigate-cve-2023-36884.ps1
# To remove mitigations
powershell -ExecutionPolicy Bypass .\remove-mitigations-cve-2023-36884.ps1
```

/!\ These scripts REQUIRE admin rights /!\

Please note that these scripts change your registry values and thus might break your system. If so, that's your own responsibility.

## Results of the CVE-2023-36884 checker

Here are some examples of the results when running `cve-2023-36884-checker.ps1`.

### If mitigation is totally enforced
```
DEBUG:OK, Excel.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, Graph.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, MSAccess.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, MSPub.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, PowerPnt.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, Visio.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, WinProj.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, WinWord.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, Wordpad.exe has CVE-2023-36884 mitigation enabled
META:hardening-CVE-2023-36884|OK
```

### If mitigation is not enforced at all

```
DEBUG:KO, Excel.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, Graph.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, MSAccess.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, MSPub.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, PowerPnt.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, Visio.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, WinProj.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, WinWord.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, Wordpad.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
META:hardening-CVE-2023-36884|KO
```

### If mitigation is partially enforced

```
DEBUG:KO, Excel.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, Graph.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, MSAccess.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, MSPub.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, PowerPnt.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, Visio.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, WinProj.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:OK, WinWord.exe has CVE-2023-36884 mitigation enabled
DEBUG:KO, Wordpad.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
META:hardening-CVE-2023-36884|KO
```

## License

MIT
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →