CVE-2018-6318

{"id": "CVE-2018-6318", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2018-02-02T21:29:00.917", "references": [{"url": "https://29wspy.ru/exploits/CVE-2018-6318.pdf", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-426"}]}], "descriptions": [{"lang": "en", "value": "In Sophos Tester Tool 3.2.0.7 Beta, the driver loads (in the context of the application used to test an exploit or ransomware) the DLL using a payload that runs from NTDLL.DLL (so, it's run in userland), but the driver doesn't perform any validation of this DLL (not its signature, not its hash, etc.). A person can change this DLL in a local way, or with a remote connection, to a malicious DLL with the same name -- and when the product is used, this malicious DLL will be loaded, aka a DLL Hijacking attack."}, {"lang": "es", "value": "En Sophos Tester Tool 3.2.0.7 Beta, el controlador carga (en el contexto de la aplicaci\u00f3n empleada para probar un exploit o ransomware) el DLL mediante una carga \u00fatil que se ejecuta desde NTDLL.DLL (por lo que se ejecuta en el espacio de usuario), pero el controlador no realiza ninguna validaci\u00f3n de este DLL (ni su firma, ni su hash, etc.). Una persona puede cambiar este DLL de forma local o con una conexi\u00f3n remota a un DLL malicioso con el mismo nombre: cuando se usa el producto, el DLL malicioso se cargar\u00e1. Esto se conoce como ataque de secuestro de DLL."}], "lastModified": "2018-02-15T15:41:26.690", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sophos:sophos_tester:3.2.0.7:beta:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "550AA841-52E5-44E0-A639-1535CA6CF091"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}