exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 129 RSS Feed

Files from James Forshaw

Email addressforshaw at google.com
First Active2011-08-11
Last Active2023-09-06
Microsoft Windows Privilege Escalation
Posted Sep 6, 2023
Authored by James Forshaw, Google Security Research

Windows still suffers from issues related to the replacement of the system drive letter during impersonation. This can be abused to trick privilege processes to load configuration files and other resources from untrusted locations leading to elevation of privilege.

tags | exploit
systems | windows
advisories | CVE-2022-41073, CVE-2023-35359
SHA-256 | 51212fb8ba211343dbd84b024c9c604426cec77c9b3e2b2de253af6449695b28
Windows HTTP.SYS Kerberos PAC Verification Bypass / Privilege Escalation
Posted Dec 8, 2022
Authored by James Forshaw, Google Security Research

The HTTP server implemented in HTTP.SYS on Windows handles authentication in a system thread which bypasses PAC verification leading to escalation of privilege.

tags | exploit, web
systems | windows
advisories | CVE-2022-35756, CVE-2022-41057
SHA-256 | 73ffca14ecbbd49fef40fa8d7691f553f1cd6ed289aaa1f61656fcd866416f5a
Windows Kerberos RC4 MD4 Encryption Downgrade Privilege Escalation
Posted Oct 3, 2022
Authored by James Forshaw, Google Security Research

The Windows KDC allows an interposing attacker to downgrade to RC4 MD4 encryption in compromising the user's TGT session key resulting in escalation of privilege.

tags | advisory
systems | windows
SHA-256 | 7cbb12797e608e56c65513653347b2c0b4cee93da07a7ca593f276da0197c595
Windows Credential Guard TGT Renewal Information Disclosure
Posted Sep 9, 2022
Authored by James Forshaw, Google Security Research

On Windows, the Kerberos ticket renewal process can be used with CG to get an unencrypted TGT session key for a currently authenticated user leading to information disclosure.

tags | exploit, info disclosure
systems | windows
advisories | CVE-2022-35822
SHA-256 | 1f9bd51e7f807ea1be820b38b4053f9b704e41211fd5779bce57f43bf497716a
Windows Credential Guard Non-Constant Time Comparison Information Disclosure
Posted Sep 9, 2022
Authored by James Forshaw, Google Security Research

On Windows, the handling of cryptographic data comparison in the CG secure process does not use constant time algorithms resulting in information disclosure.

tags | advisory, info disclosure
systems | windows
advisories | CVE-2022-34704
SHA-256 | 1eae27125e32160c8f3573cd0f12536dc12d59971e45282431a815f2a69f4009
Windows Credential Guard KerbIumGetNtlmSupplementalCredential Information Disclosure
Posted Sep 9, 2022
Authored by James Forshaw, Google Security Research

On Windows, the KerbIumGetNtlmSupplementalCredential CG API does not check the encryption key type leading to information disclosure of key material.

tags | exploit, info disclosure
systems | windows
advisories | CVE-2022-34712
SHA-256 | bfc4de1d074e4d56008f260f7b9c997af5b2161990204d92efb3480c889c7baa
Windows Credential Guard KerbIumCreateApReqAuthenticator Key Information Disclosure
Posted Sep 9, 2022
Authored by James Forshaw, Google Security Research

On Windows, CG API KerbIumCreateApReqAuthenticator can be used to decrypt arbitrary encrypted Kerberos keys leading to information disclosure.

tags | exploit, arbitrary, info disclosure
systems | windows
advisories | CVE-2022-34711
SHA-256 | 795dc1d7b2670d24abb7d74a9852a53667f29e9616266571270c30ddde0cf221
Windows Credential Guard Kerberos Change Password Privilege Escalation
Posted Sep 9, 2022
Authored by James Forshaw, Google Security Research

Windows Credential guard does not prevent using encrypted Kerberos keys to change a user's password leading to elevation of privilege.

tags | exploit
systems | windows
advisories | CVE-2022-35771
SHA-256 | 963aa15cc46082f2880e53f09434bff0855b293f238fa1b7b59fcc34a5c7c568
Windows Credential Guard Insufficient Checks On Kerberos Encryption Type Use
Posted Sep 9, 2022
Authored by James Forshaw, Google Security Research

Windows CG APIs, which take encrypted keys, do not limit what encryption or checksum types can be used with those keys. This can result in using weak encryption algorithms which could be abused to either generate keystreams or brute force encryption keys.

tags | exploit
systems | windows
advisories | CVE-2022-34710
SHA-256 | a89b74c0dc18c8ac3c1161dc1b3af00aa0758ae52080749f23434cc90472d8b2
Windows Credential Guard BCrypt Context Use-After-Free Privilege Escalation
Posted Sep 9, 2022
Authored by James Forshaw, Google Security Research

On Windows, the method for allocating a context when using the CG BCrypt APIs is insecure leading to use-after-free of secure memory resulting in elevation of privilege.

tags | exploit
systems | windows
advisories | CVE-2022-34705
SHA-256 | c22c4583f57e6b94c3c87d7e06f1807aec4eb6add28377b878080567d6bba7a8
Windows Credential Guard ASN1 Decoder Type Confusion Privilege Escalation
Posted Sep 9, 2022
Authored by James Forshaw, Google Security Research

On Windows, a number of Kerberos CG APIs do not verify the ASN1 PDU type when decoding and encoding Kerberos ASN1 structures leading to type confusion and elevation of privilege.

tags | exploit
systems | windows
advisories | CVE-2022-34709
SHA-256 | af00e87e42028f79ab35606912cd654841bc7965655e5d68e202a8ef913306f4
Windows Credential Guard Domain-Joined Device Public Key Privilege Escalation
Posted Aug 15, 2022
Authored by James Forshaw, Google Security Research

On Windows, when registered to use a public key for computer authentication, the certificate is stored in a user accessible registry key leading to elevation of privilege.

tags | exploit, registry
systems | windows
advisories | CVE-2022-22031
SHA-256 | 1feeee68d37491874f775b215beec9a53d02ac93f453ad09df73f1cd980977f8
Windows LSA Service LsapGetClientInfo Impersonation Level Check Privilege Escalation
Posted Jul 15, 2022
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the LsapGetClientInfo API in LSASRV will fallback and directly capture a caller's impersonation token if it fails to impersonate, leading to elevation of privilege if the impersonation level is not checked.

tags | exploit
systems | windows
advisories | CVE-2022-30166
SHA-256 | 4f77530c88d7c141599b603fabccbde4f773bc1697a54702749961ba91a1346a
Windows Kerberos KerbRetrieveEncodedTicketMessage AppContainer Privilege Escalation
Posted Jul 7, 2022
Authored by James Forshaw, Google Security Research

On Windows 11, the Kerberos SSP's KerbRetrieveEncodedTicketMessage message can be used to get an arbitrary service ticket and session key from an AppContainer even without the enterprise authentication capability leading to elevation of privilege.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2022-30164
SHA-256 | 78434d5ce4cfd024dc8d980cdbc2c6c5bfc491c59fd75bca49f3b74f62b3a77a
Windows Kerberos Redirected Logon Buffer Privilege Escalation
Posted Jul 6, 2022
Authored by James Forshaw, Google Security Research

On Windows, the buffer for redirected logon context does not protect against spoofing resulting in arbitrary code execution in the LSA leading to local elevation of privilege.

tags | exploit, arbitrary, local, spoof, code execution
systems | windows
advisories | CVE-2022-24545, CVE-2022-30165
SHA-256 | e5fb08a6edcf0b1b0510543eebe8a2074c96f610873eefbc81fd441dc6b36c39
Windows Defender Remote Credential Guard Authentication Relay Privilege Escalation
Posted Jul 5, 2022
Authored by James Forshaw, Google Security Research

The handling of Windows Defender Remote Credential Guard credentials is vulnerable to authentication relay attacks leading to elevation of privilege or authentication bypass.

tags | exploit, remote
systems | windows
advisories | CVE-2022-30150
SHA-256 | 59d20260a71bd3953d7c62c227f9a18519548cd6196f851a5c6ffb7ee4def447
Microsoft Windows EFSRPC Arbitrary File Upload / Privilege Escalation
Posted Jan 13, 2022
Authored by James Forshaw, Google Security Research

The EFSRPC service on Microsoft Windows Server versions 2019 and 2022 does not prevent a caller specifying a local device path allowing any authenticated user to upload arbitrary files to a server.

tags | exploit, arbitrary, local
systems | windows
advisories | CVE-2021-43893
SHA-256 | 69dcaa165fe62179a42fd16409e133c7034c05be0577fdf672a5a01f4c88b8f8
Microsoft Windows WSAQuerySocketSecurity AppContainer Privilege Escalation
Posted Nov 11, 2021
Authored by James Forshaw, Google Security Research

The WSAQuerySocketSecurity API returns full anonymous impersonation tokens for connected peers in an AppContainer leading to a sandbox escape.

tags | exploit
advisories | CVE-2021-40476
SHA-256 | 7067265a29081b6a7514db42489f78ae1ae9ee5b818ed3098e7c76170efc1909
Windows IKEEXT AuthIP Unvalidated GSS_ID Privilege Escalation
Posted Oct 22, 2021
Authored by James Forshaw, Google Security Research

The Windows IKEEXT service does not verify the SPN when performing AuthIP authentication leading to leaking authentication tokens to untrusted systems.

tags | exploit
systems | windows
SHA-256 | 0079ebd509ea0915ed3e16a7c9804d1538ef4af1d978ab5d1ad291080c5dd106
Microsoft Windows Malicious Software Removal Tool Privilege Escalation
Posted Aug 9, 2021
Authored by James Forshaw, Google Security Research

Microsoft Windows suffers from unsafe temporary directory use with the Malicious Software Removal Tool that can lead to elevation of privilege.

tags | exploit
systems | windows
advisories | CVE-2007-0843, CVE-2015-2418
SHA-256 | 6819297d57101dd6ad7947bc892901e186a3a5f3d7b10cdbea6075ecf121b687
Microsoft Exchange AD Schema Misconfiguration Privilege Escalation
Posted Jul 29, 2021
Authored by James Forshaw, Google Security Research

The msExchStorageGroup schema class added during Exchange installation can be used to create almost any AD object including users, groups or domain trusts leading to elevation of privilege.

tags | exploit
advisories | CVE-2021-34470
SHA-256 | 627232e16239714ec375a9cfcdcb5ae5ed42b0f516a9d4728d978cfb3abf4962
Microsoft Windows WFP Default Rules AppContainer Capability Bypass Privilege Escalation
Posted Jul 20, 2021
Authored by James Forshaw, Google Security Research

The default rules for the WFP connect layers permit certain executables to connect TCP sockets in AppContainers without capabilities leading to elevation of privilege.

tags | exploit, tcp
SHA-256 | 817d39612fc53f7a2ee93673d737d89c13b73c3517209d386b6ada61eca137bb
Microsoft Windows CreateProcessWithLogon Write Restricted Service Privilege Escalation
Posted Jul 14, 2021
Authored by James Forshaw, Google Security Research

Microsoft Windows has an issue where you can use the CreateProcessWithLogon API to escape a write restricted service and achieve full write access as the service user.

tags | exploit
systems | windows
SHA-256 | f7fbef38375142a8ef413e304679bb1f30ba17803f5f88f543d793439b06b967
Microsoft Windows Filtering Platform Token Access Check Privilege Escalation
Posted Jun 23, 2021
Authored by James Forshaw, Google Security Research

The Windows Filtering Platform does not verify the token impersonation level when checking filters allowing the bypass of firewall rules leading to elevation of privilege.

tags | exploit
systems | windows
advisories | CVE-2021-31970
SHA-256 | d50c76fd05c506889a7df42cb2597789f0a3498e0efb4795bd03d621894da27f
Windows Kerberos AppContainer Enterprise Authentication Capability Bypass
Posted Jun 17, 2021
Authored by James Forshaw, Google Security Research

Kerberos supports a security buffer to set the target SPN of a ticket bypassing the SPN check in LSASS.

tags | exploit
advisories | CVE-2021-26414, CVE-2021-31962
SHA-256 | 1d5d38694b7c25fc61d91a95f2fe8b95d80f7177cbc88c8349db3852e07f5b72
Page 1 of 6
Back12345Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close