CVE-2022-28999
📋 TL;DR
CVE-2022-28999 is an insecure permissions vulnerability in Dev-C++ 4.9.9.2 that allows attackers to overwrite the devcpp.exe binary with malicious code, leading to arbitrary code execution. This affects users who install Dev-C++ with default permissions on Windows systems. Attackers with local access can exploit this to gain elevated privileges.
💻 Affected Systems
- Dev-C++ (Bloodshed Dev-C++)
📦 What is this software?
Dev C\+\+ by Bloodshed
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via arbitrary code execution with the privileges of the Dev-C++ process, potentially leading to complete control of the affected system.
Likely Case
Local privilege escalation where an attacker with limited access can execute code with higher privileges, install malware, or steal sensitive data.
If Mitigated
No impact if proper file permissions are set or the software is not installed with vulnerable configurations.
🎯 Exploit Status
Exploitation requires local access to the system and ability to write to the Dev-C++ installation directory. The vulnerability is straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None - Dev-C++ is no longer actively maintained
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch exists. Consider migrating to actively maintained alternatives like Code::Blocks, Visual Studio Code with C++ extensions, or other modern IDEs.
🔧 Temporary Workarounds
Secure File Permissions
windowsManually set restrictive permissions on the Dev-C++ installation directory to prevent unauthorized write access.
icacls "C:\Program Files\Dev-Cpp" /inheritance:r /grant:r "%USERNAME%":F /grant:r "SYSTEM":F /grant:r "Administrators":F
Remove Write Permissions for Non-Admin Users
windowsRemove write permissions for standard users and groups on the Dev-C++ directory.
icacls "C:\Program Files\Dev-Cpp" /remove:g "Users" /remove:g "Authenticated Users"
🧯 If You Can't Patch
- Uninstall Dev-C++ 4.9.9.2 and replace with a modern, actively maintained C++ IDE
- Implement strict access controls and monitor for unauthorized file modifications in the Dev-C++ directory
🔍 How to Verify
Check if Vulnerable:
Check if Dev-C++ 4.9.9.2 is installed and examine permissions on the installation directory using 'icacls "C:\Program Files\Dev-Cpp"' to see if non-admin users have write access.Check Version:
Check the version in Dev-C++ via Help → About, or look for version information in the installation directory.Verify Fix Applied:
Verify that only SYSTEM, Administrators, and the installing user have write permissions to the Dev-C++ directory using icacls command.📡 Detection & Monitoring
Log Indicators:
- Windows Security Event Logs showing file permission changes or unauthorized access attempts to Dev-C++ directories
- Antivirus/EDR alerts for file modifications in Dev-C++ installation path
Network Indicators:
- None - this is a local privilege escalation vulnerability
SIEM Query:
EventID=4663 OR EventID=4656 AND ObjectName LIKE '%Dev-Cpp%' AND AccessMask IN ('0x2', '0x6', '0x116')