cbcvebase.
CVE-2023-36802
published 2023-09-12

CVE-2023-36802: Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability

PriorityP182high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-10-03
Exploited in the wild
EPSS
26.10%
97.7th percentile
Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability

Affected

30 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows_10_1809< 10.0.17763.485110.0.17763.4851
microsoftwindows_10_21h2< 10.0.19044.344810.0.19044.3448
microsoftwindows_10_22h2< 10.0.19045.344810.0.19045.3448
microsoftwindows_10_version_1809>= 10.0.0 < 10.0.17763.485110.0.17763.4851
microsoftwindows_10_version_1809>= 10.0.17763.0 < 10.0.17763.485110.0.17763.4851
microsoftwindows_10_version_21h2>= 10.0.19043.0 < 10.0.19044.344810.0.19044.3448
microsoftwindows_10_version_22h2>= 10.0.19045.0 < 10.0.19045.344810.0.19045.3448
microsoftwindows_11_21h2< 10.0.22000.241610.0.22000.2416
microsoftwindows_11_22h2< 10.0.22621.227510.0.22621.2275
microsoftwindows_11_version_21h2>= 10.0.0 < 10.0.22000.241610.0.22000.2416
microsoftwindows_11_version_22h2>= 10.0.22621.0 < 10.0.22621.228310.0.22621.2283
microsoftwindows_server_2019< 10.0.17763.485110.0.17763.4851
microsoftwindows_server_2019>= 10.0.17763.0 < 10.0.17763.485110.0.17763.4851
microsoftwindows_server_2022< 10.0.20348.197010.0.20348.1970
microsoftwindows_server_2022>= 10.0.20348.0 < 10.0.20348.197010.0.20348.1970
msrcwindows_10_version_1809_for_32-bit_systems
msrcwindows_10_version_1809_for_arm64-based_systems
msrcwindows_10_version_1809_for_x64-based_systems
msrcwindows_10_version_21h2_for_32-bit_systems
msrcwindows_10_version_21h2_for_arm64-based_systems
msrcwindows_10_version_21h2_for_x64-based_systems
msrcwindows_10_version_22h2_for_32-bit_systems
msrcwindows_10_version_22h2_for_arm64-based_systems
msrcwindows_10_version_22h2_for_x64-based_systems
msrcwindows_11_version_21h2_for_arm64-based_systems

Detection & IOCsextracted from sources · hover to see the quote

filenameaclui.dll
processPAExec.exe
processrunlegacycplelevated.exe
registryHKLM\System\CurrentControlSet\Control\Terminal Server\GlassSessionId
otherIOCTL_FRAMESERVER_PUBLISH_TX
otherIOCTL_FRAMESERVER_CONSUME_TX
otherIOCTL_FRAMESERVER_CONSUME_RX
otherIOCTL_FRAMESERVER_INIT_CONTEXT
  • CVE-2023-36802 exploit targets Microsoft Streaming Service Proxy (mskssrv.sys) via specific IOCTLs (IOCTL_FRAMESERVER_PUBLISH_TX, IOCTL_FRAMESERVER_CONSUME_TX, IOCTL_FRAMESERVER_CONSUME_RX, IOCTL_FRAMESERVER_INIT_CONTEXT); monitor for unusual IOCTL calls to this driver from non-system processes.
  • Raspberry Robin delivers the CVE-2023-36802 exploit as an external 64-bit executable (not embedded in the main 32-bit component) and with less obfuscation than the main payload — hunt for unsigned or anomalously-signed 64-bit PE drops from the main Raspberry Robin process.
  • Raspberry Robin injects exploit code into cleanmgr.exe or winver.exe — alert on these processes spawning with unusual parent processes or performing privilege escalation activity.
  • Raspberry Robin patches NtTraceEvent API to evade ETW — detect in-memory patching of NtTraceEvent in running processes as a strong indicator of compromise.
  • Raspberry Robin terminates runlegacycplelevated.exe (UAC-related process) as an anti-analysis step — alert on unexpected termination of this process by non-system parents.
  • Raspberry Robin uses PAExec.exe (instead of PsExec.exe) for lateral movement and payload download — monitor for PAExec.exe execution, especially when spawned by unusual parent processes.
  • Raspberry Robin checks API hooks by comparing the first byte of GetUserDefaultLangID and GetModuleHandleW — presence of this hook-detection pattern in memory is a behavioral indicator.
  • Raspberry Robin uses AbortSystemShutdownW and ShutdownBlockReasonCreate APIs to prevent system shutdown — alert on non-system processes calling these APIs.
  • Raspberry Robin C2 beaconing starts by contacting 60 hard-coded Tor v3 .onion domains (masquerading as legitimate sites) before reaching real C2 — monitor for Tor traffic or DNS queries to these specific .onion domains.
  • Raspberry Robin is delivered via Discord-hosted RAR archives containing OleView.exe (legitimate signed binary) and a malicious aclui.dll for DLL side-loading — alert on OleView.exe loading aclui.dll from non-standard paths.
  • CVE-2023-36802 exploit is relevant to Windows 10 up through build number 22621 — prioritize detection and patching on systems at or below this build.
  • Check Point IPS signature available for CVE-2023-36802: 'Microsoft Streaming Service Proxy Elevation of Privilege (CVE-2023-36802)'.
  • ·The exploit for CVE-2023-36802 was sold on Dark Web forums as early as February 2023, seven months before Microsoft's patch — systems may have been compromised well before the September 12, 2023 public disclosure.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.