angrypolarbearbug.exe

vendor:

by:

Anonymous

0.0

CVSS

LOW

Non-Security Issue

N/A

CWE

Product Name: angrypolarbearbug.exe

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows

2020

This exploit allows a user to overwrite files with trash, potentially allowing them to disable third-party AV software. It requires an internet connection and may not work on some CPUs.

Mitigation:

Ensure that the file report.wer is copied to the same folder as the executable before running it.

Source

Exploit-DB raw data:

Make sure to copy the file report.wer found in the folder PoC-Files in the same folder as the executable before running it... I guess I could have included it as a resource in the exe.. but whatever.

Example: "angrypolarbearbug.exe c:\windows\system32\drivers\pci.sys"

This will overwrite pci.sys with trash.
Couldn't repo on one core. 
It can take a little for the bug to win race..
It might straight up not work on some CPUs.. I don't know.. 
You need an internet connection. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

It's a non security issue really. You should have partial control over the write (change string fields in report.wer maybe?) .. I havn't tested.. but in theory if you can dump some script in it and overwrite filetypes that potentially execute it, that could be interesting.

You can also use it to perhaps disable third party AV software..
Windows defender will be harder since those files can only be modified by trusted installer, not even system.

Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46098.rar