# CVE-2024-31771 TotalAV Arbitrary File Write 

TotalAV version 6.0.x


13th Feb, 2024 : Discovered 6.0.740 vulnerable and reported to TotalAV.

15th Feb, 2024: TotalAV confirmed and reproduced the issue.

19th Feb, 2024: TotalAV was liaising with another vendor. That vendor advised that they were working on it.

18th Mar, 2024 - 19th Apr: Asked for update, no response from TotalAV.

3rd May, 2024: Requested CVE ID and asked TotalAV for further updates. TotalAV replied no update regarding this issue.

11th May, 2024: Version 6.0.1028 was still vulnerable. No mitigation timeline from the vendor.        

1. Download a malicious DLL generated by msfvenom (part of the metasploit exploitation software package). In the video, I was targeting a DLL loaded by Windows Update service. 
2. After the DLL has been quarantined, create a junction to link the download file location to C:\Windows\System32\ for example linking c:\users\<username>\downloads\test

   C:\Users\player1\Desktop\CreateMountPoint.exe "C:\Users\player1\Downloads\test" "C:\Windows\System32"

3. Restore the DLL, the file is now written to the mount point- C:\Windows\System32\
   - Using eicar as example, it was written by NT\SYSTEM

4. After restoring, the DLL is detected as a threat the second time and moved to quarantine again 
5. If the DLL is restored from Quarantine again, the file is written to C:\Windows\System32\ again
6. If Windows Update services are then triggered, it loads the malicious DLL and the attacker obtains nt authority\SYSTEM privileges.

   (New-Object -ComObject Microsoft.Update.Session).CreateUpdateSearcher().Search('IsInstalled=0')


Special thanks to Filip !!! (