CVE-2015-7358

HIGH

CipherShed < 0.7.5.0 and VeraCrypt < 1.15 - Privilege Escalation via Drive Letter Symbolic Link

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-7358. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit leverages a flaw in Truecrypt-derived projects (e.g., VeraCrypt) where the driver incorrectly checks drive letter availability, allowing a local user to remap the system drive via symbolic link manipulation, leading to local privilege escalation.

Description

The IsDriveLetterAvailable method in Driver/Ntdriver.c in TrueCrypt 7.0, VeraCrypt before 1.15, and CipherShed, when running on Windows, does not properly validate drive letter symbolic links, which allows local users to mount an encrypted volume over an existing drive letter and gain privileges via an entry in the /GLOBAL?? directory.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · textlocalwindows_x86

https://www.exploit-db.com/exploits/38403

View Code ZIP pw:eip

This exploit leverages a flaw in Truecrypt-derived projects (e.g., VeraCrypt) where the driver incorrectly checks drive letter availability, allowing a local user to remap the system drive via symbolic link manipulation, leading to local privilege escalation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: VeraCrypt 1.13 (and other Truecrypt-derived projects)

Auth required

Prerequisites: Local user access · VeraCrypt volume file · Password for the volume

MITRE ATT&CK