Headline
CVE-2022-27049: Vuln/Raidrive Setup Arbitrary File Move.md at main · ycdxsb/Vuln
Raidrive before v2021.12.35 allows attackers to arbitrarily move log files by pre-creating a mountpoint and log files before Raidrive is installed.
Raidrive Service Arbitrary File Move****Basic Info
Vuln Version:Version 2021-10-9 and before
Fixed Version:Version 2021.12.35
Test OS Version:Win10 20H2(OS build 19042.1348)
Vulnerability Type:Arbitrary File Move, Local Privilege Escalation.
Vuln Analyse
The Raidrive Service which is installed by the administrator will create log files named like C:\ProgramData\OpenBoxLab\Radrive\log\service.log.* as SYSTEM.
It will check log files under C:\ProgramData\OpenBoxLab\Radrive\log and move all of it before it creates a new log file. For example, if there is a log file named service.log.1, it will move it to service.log.2.
The problem is that all users can make folders and create files under C:\ProgramData in windows. Because of file operation abuse, we can precreate mountpoint C:\ProgramData\OpenBoxLab\Raidrive\log and create log files before raidrive is installed.
Proof of Concept
To exploit this vuln, an attacker needs to pre-create mountpoint before administrators install raidrive, and trigger arbitrary file move when administrators install raidrive and start raidrive service.
Poc Video
Official Confirm
