Wazuh Heap-Based Buffer Underflow Vulnerability in decode_win_permissions Function Allowing Remote Code Execution

A heap-based buffer underflow vulnerability has been identified in Wazuh versions through 4.10.1. The issue occurs in the decode_win_permissions function, where a NULL byte is written two bytes before the start of an allocated buffer. This vulnerability can be exploited by a compromised agent that sends a specially crafted message to the Wazuh manager, potentially leading to remote code execution. The exploitability of this vulnerability depends on the specifics of the heap allocator.

Impact

Exploitation of this vulnerability could allow an attacker to achieve remote code execution on the Wazuh manager, taking advantage of the heap-based buffer underflow.

Reproduction

The vulnerability can be reproduced by sending a crafted message from a Wazuh agent to the Wazuh manager. This message should be designed to exploit the buffer underflow in the decode_win_permissions function. The vulnerability has been confirmed to work up to Wazuh version 4.9.0.

Remediation

Users can upgrade to Wazuh version 4.10.2 or later to address this vulnerability.