CPR-Zero: CVE-2018-8476

Information

A UAF was found at wdstftp!Ctptreadfile::iocompletioncallback.
The server read files into cacheblock objects and sending it asynchronously when the readfile finishes.
The root cause for this bug is the fact that there is a hardcoded limit for a maximum of 2 cache blocks. WAT?

Crash Dump

Attached

PoC

Attached

Attachments:
poc_crash_controlled.py
poc_crash_pageheap.py
windbg_dump_controlled.jpg
windbg_dump_pageheap.jpg

References:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8476
https://research.checkpoint.com/pxe-dust-finding-a-vulnerability-in-windows-servers-deployment-services/

Share this: