Windows still suffers from issues related to the replacement of the system drive letter during impersonation. This can be abused to trick privilege processes to load configuration files and other resources from untrusted locations leading to elevation of privilege.
51212fb8ba211343dbd84b024c9c604426cec77c9b3e2b2de253af6449695b28
The HTTP server implemented in HTTP.SYS on Windows handles authentication in a system thread which bypasses PAC verification leading to escalation of privilege.
73ffca14ecbbd49fef40fa8d7691f553f1cd6ed289aaa1f61656fcd866416f5a
The Windows KDC allows an interposing attacker to downgrade to RC4 MD4 encryption in compromising the user's TGT session key resulting in escalation of privilege.
7cbb12797e608e56c65513653347b2c0b4cee93da07a7ca593f276da0197c595
On Windows, the Kerberos ticket renewal process can be used with CG to get an unencrypted TGT session key for a currently authenticated user leading to information disclosure.
1f9bd51e7f807ea1be820b38b4053f9b704e41211fd5779bce57f43bf497716a
On Windows, the handling of cryptographic data comparison in the CG secure process does not use constant time algorithms resulting in information disclosure.
1eae27125e32160c8f3573cd0f12536dc12d59971e45282431a815f2a69f4009
On Windows, the KerbIumGetNtlmSupplementalCredential CG API does not check the encryption key type leading to information disclosure of key material.
bfc4de1d074e4d56008f260f7b9c997af5b2161990204d92efb3480c889c7baa
On Windows, CG API KerbIumCreateApReqAuthenticator can be used to decrypt arbitrary encrypted Kerberos keys leading to information disclosure.
795dc1d7b2670d24abb7d74a9852a53667f29e9616266571270c30ddde0cf221
Windows Credential guard does not prevent using encrypted Kerberos keys to change a user's password leading to elevation of privilege.
963aa15cc46082f2880e53f09434bff0855b293f238fa1b7b59fcc34a5c7c568
Windows CG APIs, which take encrypted keys, do not limit what encryption or checksum types can be used with those keys. This can result in using weak encryption algorithms which could be abused to either generate keystreams or brute force encryption keys.
a89b74c0dc18c8ac3c1161dc1b3af00aa0758ae52080749f23434cc90472d8b2
On Windows, the method for allocating a context when using the CG BCrypt APIs is insecure leading to use-after-free of secure memory resulting in elevation of privilege.
c22c4583f57e6b94c3c87d7e06f1807aec4eb6add28377b878080567d6bba7a8
On Windows, a number of Kerberos CG APIs do not verify the ASN1 PDU type when decoding and encoding Kerberos ASN1 structures leading to type confusion and elevation of privilege.
af00e87e42028f79ab35606912cd654841bc7965655e5d68e202a8ef913306f4
On Windows, when registered to use a public key for computer authentication, the certificate is stored in a user accessible registry key leading to elevation of privilege.
1feeee68d37491874f775b215beec9a53d02ac93f453ad09df73f1cd980977f8
On Microsoft Windows, the LsapGetClientInfo API in LSASRV will fallback and directly capture a caller's impersonation token if it fails to impersonate, leading to elevation of privilege if the impersonation level is not checked.
4f77530c88d7c141599b603fabccbde4f773bc1697a54702749961ba91a1346a
On Windows 11, the Kerberos SSP's KerbRetrieveEncodedTicketMessage message can be used to get an arbitrary service ticket and session key from an AppContainer even without the enterprise authentication capability leading to elevation of privilege.
78434d5ce4cfd024dc8d980cdbc2c6c5bfc491c59fd75bca49f3b74f62b3a77a
On Windows, the buffer for redirected logon context does not protect against spoofing resulting in arbitrary code execution in the LSA leading to local elevation of privilege.
e5fb08a6edcf0b1b0510543eebe8a2074c96f610873eefbc81fd441dc6b36c39
The handling of Windows Defender Remote Credential Guard credentials is vulnerable to authentication relay attacks leading to elevation of privilege or authentication bypass.
59d20260a71bd3953d7c62c227f9a18519548cd6196f851a5c6ffb7ee4def447
The EFSRPC service on Microsoft Windows Server versions 2019 and 2022 does not prevent a caller specifying a local device path allowing any authenticated user to upload arbitrary files to a server.
69dcaa165fe62179a42fd16409e133c7034c05be0577fdf672a5a01f4c88b8f8
The WSAQuerySocketSecurity API returns full anonymous impersonation tokens for connected peers in an AppContainer leading to a sandbox escape.
7067265a29081b6a7514db42489f78ae1ae9ee5b818ed3098e7c76170efc1909
The Windows IKEEXT service does not verify the SPN when performing AuthIP authentication leading to leaking authentication tokens to untrusted systems.
0079ebd509ea0915ed3e16a7c9804d1538ef4af1d978ab5d1ad291080c5dd106
Microsoft Windows suffers from unsafe temporary directory use with the Malicious Software Removal Tool that can lead to elevation of privilege.
6819297d57101dd6ad7947bc892901e186a3a5f3d7b10cdbea6075ecf121b687
The msExchStorageGroup schema class added during Exchange installation can be used to create almost any AD object including users, groups or domain trusts leading to elevation of privilege.
627232e16239714ec375a9cfcdcb5ae5ed42b0f516a9d4728d978cfb3abf4962
The default rules for the WFP connect layers permit certain executables to connect TCP sockets in AppContainers without capabilities leading to elevation of privilege.
817d39612fc53f7a2ee93673d737d89c13b73c3517209d386b6ada61eca137bb
Microsoft Windows has an issue where you can use the CreateProcessWithLogon API to escape a write restricted service and achieve full write access as the service user.
f7fbef38375142a8ef413e304679bb1f30ba17803f5f88f543d793439b06b967
The Windows Filtering Platform does not verify the token impersonation level when checking filters allowing the bypass of firewall rules leading to elevation of privilege.
d50c76fd05c506889a7df42cb2597789f0a3498e0efb4795bd03d621894da27f
Kerberos supports a security buffer to set the target SPN of a ticket bypassing the SPN check in LSASS.
1d5d38694b7c25fc61d91a95f2fe8b95d80f7177cbc88c8349db3852e07f5b72