The Task Scheduler can be made to delete a task after it's trigger has expired. No check is made to ensure the task file is not a junction which allows arbitrary files to be deleted by the system user leading to EoP.
c30785bf661d0d66daa78abe61a94c360587d6e66ae875cfc5a81dc4ec54b02eThe NtUserGetClipboardAccessToken win32k system call exposes the access token of the last user to lower-privileged users. It can also be used to open an anonymous impersonation thread token which normally OpenThreadToken shouldn't be able to do. This is a bypass of the fix for CVE-2015-0078.
9bcf7274e363f1dc579d9ed68048a01019d56cc2f841f1a4a04c182389196296The host process for the UMFD runs as a normal user but with a heavily restrictive process DACL. It's possible execute arbitrary code within the context of the process because it's possible to access the processes threads leading to local EoP.
f0ec77ee8811de8feb9edad30b69fae9734672773f9e5a37d08fdba2317cebd5The Microsoft\Windows\Shell\CreateObjectTask initializes a shell32 based ICreateObject COM server as local system. This is marked as being accessible from a normal user account so once created we can attach to it. The server only has one method, CreateObject which checks the CLSID against a list of known safe classes before allowing it to be instantiated. One of these classes is allows a user to set their account picture for the logon screen.
6a43091589e97afa78001dc6e8f0c4e88aed1de975f8578e7b0706c3c45901f3The Microsoft\Windows\Shell\CreateObjectTask initializes a shell32 based ICreateObject COM server as local system. This is marked as being accessible from a normal user account so once created we can attach to it. The server only has one method, CreateObject which checks the CLSID against a list of known safe classes before allowing it to be instantiated. One of these classes is a diagnostic class for setting synchronization implemented in SettingSync.dll.
6aef4dd16b7085d61fe94cd118f3ece652f9cd33df0722b63a4bf31f53557554The maintenance service creates a log file in a user writable location. It's possible to change the log file to a hardlink to another file to cause file corruption or elevation of privilege.
9a1d92cce93d1ad86dd9eac6ec55a2b6aedcc3249f5d93fb13aea55da6b68ba6The system call NtPowerInformation performs a check that the caller is an administrator before performing some specific power functions. The check is done in the PopUserIsAdmin function. On Windows 7 this check is bypassable because the SeTokenIsAdmin function doesn't take into account the impersonation level of the token and the rest of the code also doesn't take it into account.
8e80a5edbfcfa8ce64460f4e9edf0e6164d6af2253e064cbdbd72a18a7cc6f4a
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed