This issue was originally discovered by Dawid Golunski of Microsoft Security Response Center team. The researchers described that the problem occurs because Windows does not properly handle the case when it’s loading a network-based file system driver over a remote connection. As a result, attackers can exploit this vulnerability by creating specially-crafted network connections and tricking the system into loading the malicious file system driver. The impact of this issue depends on the type of device that is used.
In most cases, this vulnerability can be exploited to install malicious code on an affected system or cause it to crash. However, it may also be exploited to take complete control of an affected system.

Researchers estimate that the Windows CD-ROM File System Driver Remote Code Execution Vulnerability is being exploited in the wild.

How to check if you are affected?

If you are using Windows 7 or above and you can demonstrate that your PC isn't affected, then you are safe. If not, and if your PC is running a supported version of Windows, then visit Microsoft article on how to check whether your PC is affected by this vulnerability.

Windows CD-ROM File System Driver Remote Code Execution Vulnerability Demo

The bug can be exploited by a remote attacker to execute malicious code on the affected computer. The vulnerability is present in Windows CD-ROM File System Driver, which is loaded when the system starts. This problem occurs because of an incorrect handling of the case when network-based file system drivers are loaded over a remote connection.
For demonstration purposes, we're going to use a Python script that will exploit this vulnerability:

import socket,subprocess
print "Opening port"
print "TCP Port: %d"%socket.gethostport()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #New TCP Socket for connections with target machine
s.connect((targetIP,targetPort))  #Connects to target machine
s.settimeout(1) #Makes it possible to write data to program and get status information back  #After 1 second timeout
while 1:  #While loop that keeps looping until connection is closed or EOF is reached
client = s.accept() #Accept connection from client  stmt = client.recv(1024) #Receive data from client and place it in variable stmt


Published on: 10/11/2022 19:15:00 UTC
Last modified on: 10/12/2022 19:50:00 UTC