After I read one of post from twitter which is about @jonasLyk's CVE-2020-16938 , I've some idea to do without using 7 zip file manager to read privileged files. And I remember about one of forensics tools for the files system which is called "Sleuthkit".
I've little experience with that sleuthkit tool when I played some of CTF for the forensics. For this arb file read bug, I will use 3 tools which are mmls, fls and icat from sleuthkit.
The Sleuth Kit is a collection of command line tools and a C library that allows you to analyze disk images and recover files from them. It is used behind the scenes in Autopsy and many other open source and commercial forensics tools.
mmls : to displays the layout of the partitions in a volume system, which include partition tables and disk labels.
fls : to lists the files and directory names in the image and can display file names of recently deleted files for the directory using the given inode. If the inode argument is not given, the inode value for the root directory is used. For example, on an NTFS file system it would be 5 and on a Ext3 file system it would be 2.
icat : to opens the named image(s) and copies the file with the specified inode number to standard output.
CVE-2020-16938: Privileged files could be read by opening the device volume. @jonasLyk used 7zip File Manager to read privileged files for the POC.
In this article, I will show that POC without using 7zip File Manager.
For the first step, check the volume system of "\\.\PhysicalDrive0" partition with mmls.
C:\sleuthkit>mmls "\\.\PhysicalDrive0"
No comments:
Post a Comment