cbcvebase.
CVE-2023-36884
published 2023-07-11

CVE-2023-36884: Windows Search Remote Code Execution Vulnerability

PriorityP190high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2023-08-29
Exploited in the wild
EPSS
99.08%
99.9th percentile
Windows Search Remote Code Execution Vulnerability

Affected

41 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows_10_1507< 10.0.10240.2010710.0.10240.20107
microsoftwindows_10_1607< 10.0.14393.616710.0.14393.6167
microsoftwindows_10_1809< 10.0.17763.473710.0.17763.4737
microsoftwindows_10_21h2< 10.0.19044.332410.0.19044.3324
microsoftwindows_10_22h2< 10.0.19044.332410.0.19044.3324
microsoftwindows_10_version_1507>= 10.0.10240.0 < 10.0.10240.2010710.0.10240.20107
microsoftwindows_10_version_1607>= 10.0.14393.0 < 10.0.14393.616710.0.14393.6167
microsoftwindows_10_version_1809>= 10.0.0 < 10.0.17763.473710.0.17763.4737
microsoftwindows_10_version_1809>= 10.0.17763.0 < 10.0.17763.473710.0.17763.4737
microsoftwindows_10_version_21h2>= 10.0.19043.0 < 10.0.19044.332410.0.19044.3324
microsoftwindows_10_version_22h2>= 10.0.19045.0 < 10.0.19045.332410.0.19045.3324
microsoftwindows_11_21h2< 10.0.22000.229510.0.22000.2295
microsoftwindows_11_22h2< 10.0.22621.213410.0.22621.2134
microsoftwindows_11_version_21h2>= 10.0.0 < 10.0.22000.229510.0.22000.2295
microsoftwindows_11_version_22h2>= 10.0.22621.0 < 10.0.22621.213410.0.22621.2134
microsoftwindows_server_2008
microsoftwindows_server_2008_r2_service_pack_1>= 6.1.7601.0 < 6.1.7601.266646.1.7601.26664
microsoftwindows_server_2008_service_pack_2>= 6.0.6003.0 < 6.0.6003.222166.0.6003.22216
microsoftwindows_server_2012
microsoftwindows_server_2012>= 6.2.9200.0 < 6.2.9200.244146.2.9200.24414
microsoftwindows_server_2012_r2>= 6.3.9600.0 < 6.3.9600.215036.3.9600.21503
microsoftwindows_server_2016< 10.0.14393.616710.0.14393.6167
microsoftwindows_server_2016>= 10.0.14393.0 < 10.0.14393.616710.0.14393.6167
microsoftwindows_server_2019< 10.0.17763.473710.0.17763.4737
microsoftwindows_server_2019>= 10.0.17763.0 < 10.0.17763.473710.0.17763.4737

Detection & IOCsextracted from sources · hover to see the quote

hasha61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f
hash07377209fe68a98e9bca310d9749daa4eb79558e9fc419cf0b02a9e37679038d
hash1a7bb878c826fe0ca9a0677ed072ee9a57a228a09ee02b3c5bd00f54f354930f
hash3a3138c5add59d2172ad33bc6761f2f82ba344f3d03a2269c623f22c1a35df97
hashe7cfeb023c3160a7366f209a16a6f6ea5a0bc9a3ddc16c6cba758114dfe6b539
hash48142dc7fe28a5d8a849fff11cb8206912e8382314a2f05e72abad0978b27e90
hash5f40cb4852ec50ee24f3cd951a172c725d02012d17dd645b6ce22d324aa140ad
hash0501d09a219131657c54dba71faf2b9d793e466f2c7fdf6b0b3c50ec5b866b2a
ip74.50.94.156
ip104.234.239.26
ip94.232.40.34
ip66.23.226.102
ip65.21.27.250
domainfinformservice.com
domainaltimata.org
domainpenofach.com
domainbentaxworld.com
domainwexonlake.com
domainukrainianworldcongress.info
urlhxxps://www.ukrainianworldcongress[.]info/sites/default/files/document/forms/2023/Overview_of_UWCs_UkraineInNATO_campaign.docx
url\\104.234.239[.]26\share1\MSHTML_C7\file001.url
urlhxxp://74.50.94[.]156/MSHTML_C7/start.xml
urlfile[:]//104.234.239[.]26/share1/MSHTML_C7/1/__file001.htm?d=__
urlhttps://mctelemetryzone[.]com/favicon.ico
filenameOverview_of_UWCs_UkraineInNATO_campaign.docx
filenameafchunk.rtf
filename2222.chm
filenameUnpublished Pictures 1-20230802T122531-002-sfx.exe
port442
registryHKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION
pathword/afchunk.rtf
otherThreat Prevention signatures: 86775, 86776, 86777
  • Detect child processes spawned by Microsoft Office applications on Windows as a sign of CVE-2023-36884 exploitation
  • The exploit chain uses a .docx file containing an altChunk element referencing an embedded afchunk.rtf (OLE2LINK), which in turn contains two malicious OLE objects — one using objautlink (OLE autolink with objupdate) to reach an SMB URL, and another using xmlfile class with a URLMoniker to fetch start.xml via HTTP
  • The exploit abuses the Windows Search Handler via JavaScript in file001.htm that loads a .search-ms saved search file via iframes, enabling further stages of the attack chain
  • PEAPOD/ROMCOM falls back to raw TCP on port 442 or ICMP if HTTPS C2 is unreachable; monitor for unusual outbound TCP/442 or ICMP from Office-related processes
  • When the victim's host accesses the SMB URL embedded in the OLE object, it leaks NTLM credentials to the attacker-controlled server; monitor for outbound SMB connections to external IPs originating from Office processes
  • ·Exploitation requires the victim to open the malicious document; no zero-click vector has been confirmed
  • ·The FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key mitigation must be applied to all relevant Office binaries (Excel.exe, Graph.exe, MSAccess.exe, MSPub.exe, PowerPnt.exe, Visio.exe, WinProj.exe, WinWord.exe, Wordpad.exe) to be effective
  • ·Successful exploitation of CVE-2023-36884 via this specific lure requires the .docx file to NOT be tagged with Mark-of-the-Web (MotW); if MotW is present, Protected View is enabled and the exploit chain is disrupted
  • ·The PEAPOD/ROMCOM C2 server enforces TLS 1.2 via WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2, meaning the malware cannot infect systems running Windows 7 or earlier (TLS negotiation fails)

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck7.5HIGH
cisa7.5HIGH
vendor_msrc7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.