CVE-2020-36938

#!/usr/bin/env python3 """ CVE-2020-36938 PoC - WinAVR Insecure Permissions This PoC demonstrates checking for insecure file permissions in WinAVR installation. """ import os import sys import subprocess import ctypes from pathlib import Path def check_admin_privileges(): """Check if running with administrator privileges""" try: is_admin = ctypes.windll.shell32.IsUserAnAdmin() return is_admin != 0 except: return False def find_winavr_installation(): """Try to locate WinAVR installation directory""" possible_paths = [ r"C:\WinAVR-20100110", r"C:\Program Files\WinAVR", r"C:\Program Files (x86)\WinAVR", os.path.expanduser("~\\WinAVR"), ] for path in possible_paths: if os.path.exists(path): return path return None def check_file_permissions(file_path): """ Check if a file has insecure permissions allowing modification by non-admin users. Uses Windows icacls command to check permissions. """ try: # Get current ACLs for the file result = subprocess.run( ['icacls', file_path], capture_output=True, text=True, timeout=10 ) # Check if 'Everyone' or 'Users' group has write/modify permissions output = result.stdout.lower() # Look for problematic permissions insecure_indicators = ['(F)', '(M)', '(W)', '(D)'] for indicator in insecure_indicators: if 'everyone' in output and indicator in output: return True, f"Everyone has {indicator} permission" if 'users' in output and indicator in output: return True, f"Users group has {indicator} permission" return False, "Permissions appear secure" except Exception as e: return None, f"Error checking permissions: {e}" def scan_winavr_directory(winavr_path): """Scan WinAVR directory for files with insecure permissions""" vulnerable_files = [] print(f"[*] Scanning WinAVR directory: {winavr_path}") # Target file extensions commonly exploited target_extensions = ['.exe', '.dll', '.bin', '.a', '.o'] for root, dirs, files in os.walk(winavr_path): for filename in files: if any(filename.lower().endswith(ext) for ext in target_extensions): file_path = os.path.join(root, filename) is_vulnerable, details = check_file_permissions(file_path) if is_vulnerable: print(f"[!] VULNERABLE: {file_path}") print(f" Details: {details}") vulnerable_files.append({ 'path': file_path, 'details': details }) return vulnerable_files def main(): print("=" * 60) print("CVE-2020-36938 PoC - WinAVR Insecure Folder Permissions") print("=" * 60) if not check_admin_privileges(): print("[*] Note: Running as non-admin user") print("[*] This PoC will check if you can modify WinAVR files") else: print("[!] Warning: Running with admin privileges") print("[*] Results may not reflect actual vulnerability") winavr_path = find_winavr_installation() if not winavr_path: print("[-] WinAVR installation not found") print("[-] Please install WinAVR or update search paths") return print(f"[+] Found WinAVR at: {winavr_path}") vulnerable_files = scan_winavr_directory(winavr_path) print("\n" + "=" * 60) print(f"[*] Scan complete. Found {len(vulnerable_files)} vulnerable files.") if vulnerable_files: print("[!] System is VULNERABLE to CVE-2020-36938") print("[!] An attacker with low privileges can modify executable files") print("[!] This can lead to privilege escalation or remote code execution") else: print("[+] No obvious vulnerabilities found") print("=" * 60) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2020-36938", "sourceIdentifier": "[email protected]", "published": "2026-01-27T16:16:09.663", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "WinAVR version 20100110 contains an insecure permissions vulnerability that allows authenticated users to modify system files and executables. Attackers can leverage the overly permissive access controls to potentially modify critical DLLs and executable files in the WinAVR installation directory."}, {"lang": "es", "value": "WinAVR versión 20100110 contiene una vulnerabilidad de permisos inseguros que permite a usuarios autenticados modificar archivos del sistema y ejecutables. Los atacantes pueden aprovechar los controles de acceso excesivamente permisivos para modificar potencialmente DLLs críticas y archivos ejecutables en el directorio de instalación de WinAVR."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-732"}]}], "references": [{"url": "https://sourceforge.net/projects/winavr/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49379", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/winavr-version-insecure-folder-permissions", "source": "[email protected]"}]}}