Information

A UAF was found at wdstftp!Ctptreadfile::iocompletioncallback.
The server read files into cacheblock objects and sending it asynchronously when the readfile finishes.
The root cause for this bug is the fact that there is a hardcoded limit for a maximum of 2 cache blocks. WAT?

Crash Dump

Attached

PoC


Attached


Attachments:
poc_crash_controlled.py
poc_crash_pageheap.py
windbg_dump_controlled.jpg
windbg_dump_pageheap.jpg

References:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8476
TBD blogpost