Twenty Year Anniversary
Showing 1 - 25 of 45 RSS Feed

Files from James Forshaw

First Active2011-08-11
Last Active2018-06-20
Microsoft Windows Desktop Bridge Virtual Registry Incomplete Fix
Posted Jun 20, 2018
Authored by James Forshaw, Google Security Research

The handling of the virtual registry for desktop bridge applications can allow an application to create arbitrary files as system resulting in privilege escalation. This is because the fix for CVE-2018-0880 (MSRC case 42755) did not cover all similar cases which were reported at the same time in the issue.

tags | exploit, arbitrary, registry
MD5 | 0c6e9aac6eb44da88353cc69fbad521f
Microsoft Windows Desktop Bridge Activation Arbitrary Directory Creation
Posted Jun 19, 2018
Authored by James Forshaw, Google Security Research

The activator for Desktop Bridge applications calls CreateAppContainerToken while running as a privileged account leading to creation of arbitrary object directories leading to privilege escalation.

tags | exploit, arbitrary
advisories | CVE-2018-8208
MD5 | 832f197845675cc7fc23e2136754692c
Microsoft Windows 10 1709 Child Process Restriction Mitigation Bypass
Posted Jun 13, 2018
Authored by James Forshaw, Google Security Research

Microsoft Windows 10 version 1709 suffers from a child process restriction mitigation bypass vulnerability.

tags | exploit, bypass
systems | windows
advisories | CVE-2018-0982
MD5 | 14320128fadf9ab6d9bdc495b2999b56
Microsoft Windows Token Process Trust SID Access Check Bypass Privilege Escalation
Posted May 15, 2018
Authored by James Forshaw, Google Security Research

Microsoft Windows suffers from a token process trust SID access check bypass elevation of privilege vulnerability.

tags | exploit
systems | windows
advisories | CVE-2018-8134
MD5 | ace4fe2f42f537091fcddcf5ec0fcb58
Microsoft Windows WLDP CLSID Policy .NET COM Instantiation UMCI Bypass
Posted Apr 19, 2018
Authored by James Forshaw, Google Security Research

The enlightened Windows Lockdown Policy check for COM Class instantiation can be bypassed by using a bug in .NET leading to arbitrary code execution on a system with UMCI enabled (e.g. Device Guard).

tags | exploit, arbitrary, code execution
systems | windows
MD5 | 9af4ae4b97751a5713a7402ad0feb6c6
Microsoft Windows CiSetFileCache TOCTOU Incomplete Fix
Posted Apr 17, 2018
Authored by James Forshaw, Google Security Research

The fix for CVE-2017-11830 is insufficient to prevent a normal user application adding a cached signing level to an unsigned file by exploiting a TOCTOU in CI leading to circumventing Device Guard policies.

tags | exploit
advisories | CVE-2017-11830, CVE-2018-0966
MD5 | dd01efee7f81b595a28eb0762c87ef42
Microsoft Windows Desktop Bridge Privilege Escalation
Posted Mar 21, 2018
Authored by James Forshaw, Google Security Research

Microsoft Windows suffers from a Desktop Bridge Virtual Registry NtLoadKey arbitrary file read / write privilege escalation vulnerability.

tags | exploit, arbitrary, registry
systems | windows
advisories | CVE-2018-0882
MD5 | df20338cea8e10f24722840588aeb572
Microsoft Windows Desktop Bridge Privilege Escalation
Posted Mar 21, 2018
Authored by James Forshaw, Google Security Research

Microsoft Windows suffers from a Desktop Bridge Virtual Registry arbitrary file read / write privilege escalation vulnerability.

tags | exploit, arbitrary, registry
systems | windows
advisories | CVE-2018-0880
MD5 | 36bac421e1beb393d9761eff962189a2
Microsoft Windows Desktop Bridge VFS Privilege Escalation
Posted Mar 21, 2018
Authored by James Forshaw, Google Security Research

The handling of the VFS for desktop bridge applications can allow an application to create virtual files in system folder which can result in elevation of privilege.

tags | exploit
advisories | CVE-2018-0877
MD5 | c02453b895ec3d0d5a6aa14ceccfcd6a
Windows Constrained Impersonation Capability Privilege Escalation
Posted Feb 22, 2018
Authored by James Forshaw, Google Security Research

Windows suffers from a Constrained Impersonation Capability privilege escalation vulnerability.

tags | exploit
systems | windows
advisories | CVE-2018-0821
MD5 | 1f17f321ec2055627ec4f2ce8c689dc4
Windows StorSvc SvcMoveFileInheritSecurity Arbitrary File Security Descriptor Overwrite
Posted Feb 22, 2018
Authored by James Forshaw, Google Security Research

Windows StorSvc SvcMoveFileInheritSecurity suffers from an arbitrary file security descriptor overwrite vulnerability that allows for privilege escalation.

tags | exploit, arbitrary
systems | windows
MD5 | c23ff1030843d4b2a8918b43f35200c0
Windows NPFS Symlink Security Feature Bypass / Privilege Escalation
Posted Feb 20, 2018
Authored by James Forshaw, Google Security Research

Windows suffers from NPFS Symlink security feature bypass and privilege escalation vulnerabilities.

tags | exploit, vulnerability
systems | windows
advisories | CVE-2018-0823
MD5 | 351a799b32a8be9550b61628f66dea60
Windows Global Reparse Point Security Feature Bypass / Privilege Escalation
Posted Feb 20, 2018
Authored by James Forshaw, Google Security Research

Windows suffer from Global Reparse Point security feature bypass and privilege escalation vulnerabilities.

tags | exploit, vulnerability
systems | windows
advisories | CVE-2018-0822
MD5 | 84a050a0c09ac8b610c64807057eb756
Windows StorSvc SvcMoveFileInheritSecurity Arbitrary File Creation
Posted Feb 20, 2018
Authored by James Forshaw, Google Security Research

StorSvc SvcMoveFileInheritSecurity suffers from an arbitrary file creation vulnerability that allows for privilege escalation.

tags | exploit, arbitrary
advisories | CVE-2018-0826
MD5 | 975bfeb1e370d50ca7f709523268f0be
Microsoft Windows SMB Server Mount Point Privilege Escalation
Posted Jan 11, 2018
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the SMB server drivers (srv.sys and srv2.sys) do not check the destination of a NTFS mount point when manually handling a reparse operation leading to being able to locally open an arbitrary device via an SMB client which can result in privilege escalation.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2018-0749
MD5 | 8bee2db391a04c548de7c3126b3c73a4
Microsoft Windows NtImpersonateAnonymousToken LPAC To Non-LPAC Privilege Escalation
Posted Jan 11, 2018
Authored by James Forshaw, Google Security Research

On Microsoft Windows, when impersonating the anonymous token in an LPAC the WIN://NOAPPALLPKG security attribute is ignored leading to impersonating a non-LPAC token leading to privilege escalation.

tags | exploit
systems | windows
advisories | CVE-2018-0752
MD5 | 8c8cfa8d06fb3178fe47edd96393a118
Microsoft Windows NtImpersonateAnonymousToken AC To Non-AC Privilege Escalation
Posted Jan 11, 2018
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the check for an AC token when impersonating the anonymous token does not check impersonation token's security level leading to impersonating a non-AC anonymous token leading to privilege escalation.

tags | exploit
systems | windows
advisories | CVE-2018-0751
MD5 | ec5a514309e694f43622f9260cc4f20a
Microsoft Windows NTFS Owner/Mandatory Label Privilege Bypass
Posted Jan 11, 2018
Authored by James Forshaw, Google Security Research

When creating a new file on an NTFS drive it's possible to circumvent security checks for setting an arbitrary owner and mandatory label leading to a non-admin user setting those parts of the security descriptor with non-standard values which could result in further attacks resulting privilege escalation.

tags | exploit, arbitrary
advisories | CVE-2018-0748
MD5 | 23055e91c47aae5d9ca3bd19f9708bba
Microsoft Windows Local XPS Print Spooler Sandbox Escape
Posted Jan 10, 2018
Authored by James Forshaw, Google Security Research

The Microsoft Windows local print spooler can be abused to create an arbitrary file from a low privilege application including one in an AC as well as a typical Edge LPAC CP leading to elevation of privilege.

tags | exploit, arbitrary, local
systems | windows
MD5 | f9c76875d1743262b2802cf76e9e7f56
Intel Content Protection HECI Service Privilege Escalation
Posted Dec 19, 2017
Authored by James Forshaw, Google Security Research

The Intel Content Protection HECI Service exposes a DCOM object to all users and most sandboxes (such as Edge LPAC and Chrome GPU). It has a type confusion vulnerability which can be used to elevate to SYSTEM privileges.

tags | exploit
advisories | CVE-2017-5717
MD5 | a4c2f8375ebdc7ea8ce2023d56ff8651
Windows Defender Controlled Folder Bypass
Posted Nov 30, 2017
Authored by James Forshaw, Google Security Research

Windows Defender suffers from a controlled folder bypass through the UNC path. Affected includes Windows 10 1709 and Antimalware client version 4.12.16299.15.

tags | exploit
systems | windows
MD5 | a7c30a5ca5f72bced3e65bfc017e3f47
Microsoft Windows CI CiSetFileCache TOCTOU Security Feature Bypass
Posted Nov 21, 2017
Authored by James Forshaw, Google Security Research

It is possible to add a cached signing level to an unsigned file by exploiting a TOCTOU in CI leading to circumvention of Device Guard policies and possibly PPL signing levels.

tags | exploit
advisories | CVE-2017-11830
MD5 | 8ebc146325ec05100a1d36b627380a7b
Microsoft Windows WLDP/Scriptlet CLSID UMCI Bypass
Posted Nov 15, 2017
Authored by James Forshaw, Google Security Research

The enlightened lockdown policy check for COM Class instantiation can be bypassed in Scriptlet hosts leading to arbitrary code execution on a system with UMCI enabled (e.g. Device Guard).

tags | exploit, arbitrary, code execution
MD5 | 9f26a70091ba091d126dd62e22de0746
Microsoft Windows WLDP/MSHTML CLSID UMCI Bypass
Posted Oct 14, 2017
Authored by James Forshaw, Google Security Research

The enlightened lockdown policy check for COM Class instantiation can be bypassed in MSHTML hosts leading to arbitrary code execution on a system with UMCI enabled (e.g. Device Guard).

tags | exploit, arbitrary, code execution
advisories | CVE-2017-11823
MD5 | 1b2d4d07eba9dc0ac29034a6908021a0
Microsoft Windows PPL Process Injection Privilege Escalation
Posted Aug 29, 2017
Authored by James Forshaw, Google Security Research

Microsoft Windows suffers from an issue where it is possible to inject code into a PPL protected process by hijacking COM objects leading to accessing PPL processes such as Lsa and AntiMalware from an administrator.

tags | exploit
systems | windows
MD5 | f56afa12662c26fd335723f194b4b1df
Page 1 of 2
Back12Next

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

June 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    14 Files
  • 2
    Jun 2nd
    1 Files
  • 3
    Jun 3rd
    3 Files
  • 4
    Jun 4th
    18 Files
  • 5
    Jun 5th
    21 Files
  • 6
    Jun 6th
    8 Files
  • 7
    Jun 7th
    16 Files
  • 8
    Jun 8th
    18 Files
  • 9
    Jun 9th
    5 Files
  • 10
    Jun 10th
    2 Files
  • 11
    Jun 11th
    21 Files
  • 12
    Jun 12th
    32 Files
  • 13
    Jun 13th
    15 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    4 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    2 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    8 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close