RegLoadAppKey is documented to load keys in a location which can't be enumerated and also non-guessable. However it's possible to enumerate loaded hives and find ones which can be written to which might lead to elevation of privilege.
50c93d6edf7373f14720ed5465ad2648ccee020f4b5cd9cc0c2668913eeff08c
PspInitializeFullProcessImageName does not correctly handle a NULL pointer being passed to it leading to a dereference at NULL for a file object which might be exploitable on 32 bit systems for elevation of privilege.
70b82482716445062d80fb96e4fdd034b32b3c939d117b27406277646b4a03a2
A default installation of Windows 7/8 can be made to perform a NTLM reflection attack through WebDAV which allows a local user to elevate privileges to local system.
38a08b6ee37889a0cd9d35ed8ee32279823b97688768df81253865add1d05bf8
It is possible to bypass the ProcessFontDisablePolicy check in win32k to load a custom font from an arbitrary file on disk even in a sandbox.
e53ce21674ff108088fda4624124e065ad3b50d11954813a258023ebc7b8704e
If an application sends a one way binder transaction the service tries to send a reply which fails. This causes the service manager to exit its binder loop and the process dies causing the system to reboot. Tested on Android version 6.0.1 February patches.
24774ca1e49bd4db1b9ed63ebb744a6f55a49da06db379a0c1076409bd39b4c2
The CSRSS BaseSrv RPC call BaseSrvCheckVDM allows you to create a new process with the anonymous token, which results on a new process in session 0 which can be abused to elevate privileges.
f24c7d593d547e23379c3440dbf5f7f452e40b8133e8dd3211fa702220bba978
The GET_CONFIG and GET_PARAMETER calls on IOMX are vulnerable to an information disclosure of uninitialized heap memory. This could be used by an attacker to break ASLR in the media server process by reading out heap memory which contains useful address information.
5261311e4609875cedbf0b094d7a84ece67c7f5bb756289665b882bc2cd7d449
The IMemory interface in frameworks/native/libs/binder/IMemory.cpp, used primarily by the media services can be tricked to return arbitrary memory locations leading to information disclosure or memory corruption.
b2733bc9c4f2368575e5664c639831ee56ed7c5575c89a4d6b41f8c514f1132a
One change in Windows 8.1 from Windows 7 is the introduction of the console driver (condrv.sys) which is responsible for handling the management of consoles. It contains a method, CdpLaunchServerProcess which creates an instance of conhost.exe. This method calls ZwCreateUserProcess which means that the system call runs with kernel permissions, it also passes a flag (0x400) to the system call which indicates that the new process should not be assigned to the parent job. This allows for the conhost process to bypass the job restrictions.
aad99e2fb5be5770a2e80cebfa29ade4a75656ae77a4bc2610d6dca415437c02
The SecLogon service does not sanitize standard handles when creating a new process leading to duplicating a system service thread pool handle into a user accessible process. This can be used to elevate privileges to Local System.
1503dd54222782a3e53678913f5880565b05a932180f2498066832dd8aed5905
The SEND_RESPONSE_TRANSACTION and SEND_NOTIFICATION_TRANSACTION IPC calls in BnBluetoothGattServer::onTransact are vulnerable to stack corruption which could allow an attacker to locally elevate privileges to the level of the bluetooth service.
cbc7f6f546c6a4a041cd6195c2cb666ba89578a8bc1ee57f073e4fde11ca48cb
The servicemanager, keystore and drmserver all use getpidcon function to get the security context of the caller from a binder. When combined with a one way binder transaction this results in getting the security context of the current process which might allow a selinux mac bypass.
2490431986cf0e3ac461ee3404bc3e4c47f1124ec963ad8e900b6344954fe156
The default Samsung email client's email viewer and composer (implemented in SecEmailUI.apk) doesn't sanitize HTML email content for scripts before rendering the data inside a WebView. This allows an attacker to execute arbitrary JavaScript when a user views a HTML email which contains HTML script tags or other events.
cdd3dca1431b631c7893709d3f20baf0ee1737418b177b7b11da853c74127bd8
The fix for CVE-2015-2553 can be bypassed to get limited mount reparse points working again for sandbox attacks by abusing anonymous token impersonation.
84d1f61ea4f0eb889ca190f3429bcfe55144ef0d1d6d2b16d24b041e21caa84f
The fix for CVE-2015-2553 can be bypassed to get limited mount reparse points working again for sandbox attacks.
bd702073eb355563b971ee560011cb8ca6c6eb53f9281cc28b3dd536b66fcbee
The 3D Vision service nvSCPAPISvr.exe installed as part of typical driver installations runs at Local System and has an insecure named pipe server. One of the commands in the server can be used to set an Explorer Run key for the system which would allow a user to get code executing in the session of any other user who logs on to the same machine leading to elevation of privilege. In Windows Domain environments it would also be possible to exploit the vulnerability between machines if the attacker has access to a valid user account on one domain joined machine.
05dc63568af8d130fdd2c6b9e0a909e6ec48e67727f943ffc38e725c2e25e0c2
On Microsoft Windows you can create NTFS hardlinks without needing write permissions on the target file.
760348b2c259a8688b4643226d703dcb86c3811fe54ead7f25e0acc81110138d
On Windows 8.1 Update 32/64 bit, the system call NtApphelpCacheControl (the code is actually in ahcache.sys) allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext. This function has a vulnerability where it doesn't correctly check the impersonation token of the caller to determine if the user is an administrator. It reads the caller's impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem's SID. It doesn't check the impersonation level of the token so it's possible to get an identify token on your thread from a local system process and bypass this check.
72088e382599651c32cb9cdc5567e22509289abb4b5d97381967f2aafa755155
The NtCreateLowBoxToken API allows the capture of arbitrary handles which can lead to to local denial of service or elevation of privilege.
4a59e06ad20ad734b152b6ee0d265f8a5edbd1cd9b7589c3a8b40f58cc1f864a
The SecEmailComposer/EmailComposer application used by the Samsung S6 Edge has an exported service action to do quick replies to emails. It was found that this action required no permissions to call, and could lead to an unprivileged application gaining access to email content.
594870b3ae98a33494d0b1c1cfe743d48fcdc6e5eb9a57bb9891ab2068f4be75
A mitigation added to Windows 10 to prevent NTFS Mount Reparse Points being created at integrity levels below medium can be bypassed.
77de79e37f40866083e8c10c779513ec690df8fde92d656febc29bcad4074191
The Windows driver used by projects derived from Truecrypt 7 (verified in Veracrypt and CipherShed) are vulnerable to a local elevation of privilege attack by checking process of impersonation token which allow a user to inspect and potentially manipulate other users mounted encrypted volumes on the same machine.
b9912959dea9864927e9d66a4186b8a6617c45745645d5b82d3eaab9bff7b6aa
Cisco AnyConnect Secure Mobility Client version 3.1.08009 suffers from a privilege escalation vulnerability. The fix for CVE-2015-4211 is insufficient which allows a local application to elevate to local system through the CMainThread::launchDownloader command.
d8d8aba2be2bbe07e77874ac6db9c506cab1e1e1d4012296e7b37ab6841902a0
The Windows driver used by projects derived from Truecrypt 7 (verified in Veracrypt and CipherShed) are vulnerable to a local elevation of privilege attack by abusing the drive letter symbolic link creation facilities to remap the main system drive. With the system drive remapped it's trivial to get a new process running under the local system account.
bd1e8ffc132fe9efac975acbab5528bd06a2731798e1f40805ddc035d825f919
The latest version of the Vector.primitive length check in Flash 18,0,0,232 is not robust against memory corruptions such as heap overflows. While it is no longer possible to obviously bypass the length check there is still unguarded data in the object which could be corrupted to serve as a useful primitive.
8a4222c338a3d67f609ec341393b261bae85b7cd1930829eb76c347db90be962