what you don't know can hurt you
Showing 1 - 25 of 88 RSS Feed

Files from James Forshaw

Email addressforshaw at google.com
First Active2011-08-11
Last Active2020-09-08
Microsoft Windows StorageFolder Marshaled Object Access Check Bypass / Privilege Escalation
Posted Sep 8, 2020
Authored by James Forshaw, Google Security Research

The StorageFolder class when used out of process can bypass security checks to read and write files not allowed to an AppContainer.

tags | exploit
advisories | CVE-2020-0886
MD5 | fcac5139eefb819b4a7b0e211caa1f0d
Microsoft Windows CloudExperienceHostBroker Privilege Escalation
Posted Sep 8, 2020
Authored by James Forshaw, Google Security Research

The CloundExperienceHostBroker hosts unsafe COM objects accessible to a normal user leading to elevation of privilege.

tags | exploit
advisories | CVE-2015-2528, CVE-2020-1471
MD5 | c38651bc173d658ea5caddd8450163b6
Microsoft Windows CmpDoReadTxRBigLogRecord Memory Corruption Privilege Escalation
Posted Aug 21, 2020
Authored by James Forshaw, Google Security Research

The handling of KTM logs when initializing a Registry Hive contains no bounds checks which results in privilege escalation.

tags | exploit, registry
advisories | CVE-2020-1378
MD5 | 47cc29fc3f9a4152d374689e8d8dbe44
Microsoft Windows CmpDoReDoCreateKey Arbitrary Registry Key Creation Privilege Escalation
Posted Aug 21, 2020
Authored by James Forshaw, Google Security Research

The handling of KTM logs does not limit Registry Key operations to the loading hive leading to elevation of privilege.

tags | exploit, registry
advisories | CVE-2020-1377
MD5 | cde9e4062cc05fc18d17cf5eabad623b
Microsoft Windows AppContainer Enterprise Authentication Capability Bypass
Posted Aug 13, 2020
Authored by James Forshaw, Google Security Research

On Microsoft Windows 10 1909, LSASS does not correctly enforce the Enterprise Authentication Capability which allows any AppContainer to perform network authentication with the user's credentials.

tags | exploit
systems | windows
advisories | CVE-2020-1509
MD5 | a9c5a593a7fd8beb544d51baa38c1730
Firefox Default Content Process DACL Sandbox Escape
Posted May 28, 2020
Authored by James Forshaw, Google Security Research

The Firefox content processes do not sufficiently lockdown access control which can result in a sandbox escape.

tags | exploit
advisories | CVE-2020-12388
MD5 | 1b90a8f7ec30889bdb9321cdf60bc14e
Microsoft Windows SE_SERVER_SECURITY Security Descriptor Owner Privilege Escalation
Posted Apr 15, 2020
Authored by James Forshaw, Google Security Research

In Microsoft Windows, by using the poorly documented SE_SERVER_SECURITY Control flag it is possible to set an owner different to the caller, bypassing security checks.

tags | exploit
systems | windows
MD5 | 5d3f5584e58e6901a002f9377a06e10b
Microsoft Windows NtFilterToken ParentTokenId Incorrect Setting Privilege Escalation
Posted Apr 15, 2020
Authored by James Forshaw, Google Security Research

Microsoft Windows suffers from an NtFilterToken ParentTokenId incorrect setting that allows for elevation of privileges.

tags | exploit
systems | windows
advisories | CVE-2020-0981
MD5 | 86b3a43f0e04663a4647981a2e122e3f
ShaderCache Arbitrary File Creation / Privilege Escalation
Posted Mar 16, 2020
Authored by James Forshaw, Google Security Research

The shared ShaderCache directory can be exploited to create an arbitrary file on the file system leading to elevation of privilege.

tags | exploit, arbitrary
advisories | CVE-2020-0516
MD5 | b6ec5dd1ecead03cc6ab5a667386a03f
Microsoft Windows Insecure CSharedStream Object Privilege Escalation
Posted Oct 28, 2019
Authored by James Forshaw, Google Security Research

Microsoft Windows suffers from an insecure CSharedStream object privilege escalation vulnerability.

tags | exploit
systems | windows
MD5 | 687f585eaab9feeb5d38e13cc05c1c00
Microsoft Windows SET_REPARSE_POINT_EX Mount Point Security Feature Bypass
Posted Aug 22, 2019
Authored by James Forshaw, Google Security Research

The NTFS driver supports a new FS control code to set a mount point which the existing sandbox mitigation doesn't support allowing a sandboxed application to set an arbitrary mount point symbolic link.

tags | exploit, arbitrary
advisories | CVE-2019-1170
MD5 | 0943b5ee8bb525ed81875df4a3ae481f
Microsoft Windows RPCSS Activation Kernel Security Callback Privilege Escalation
Posted Jul 18, 2019
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the RPCSS Activation Kernel RPC server's security callback can be bypassed resulting in elevation of privilege.

tags | exploit, kernel
systems | windows
advisories | CVE-2019-1089
MD5 | c4819f99e884719a97eddb52654d624b
AppXSvc Hard Link Privilege Escalation
Posted Jul 15, 2019
Authored by James Forshaw, Nabeel Ahmed, Shelby Pace | Site metasploit.com

There exists a privilege escalation vulnerability for Windows 10 builds prior to build 17763. Due to the AppXSvc's improper handling of hard links, a user can gain full privileges over a SYSTEM-owned file. The user can then utilize the new file to execute code as SYSTEM. This Metasploit module employs a technique using the Diagnostics Hub Standard Collector Service (DiagHub) which was discovered by James Forshaw to load and execute a DLL as SYSTEM.

tags | exploit
systems | windows
advisories | CVE-2019-0841
MD5 | c94395650cca2e92c0d550946f0e7a22
Microsoft Windows Font Cache Service Insecure Sections
Posted Jun 24, 2019
Authored by James Forshaw, Google Security Research

The Windows Font Cache Service exposes section objects insecurely to low privileged users resulting in elevation of privilege.

tags | exploit
systems | windows
advisories | CVE-2019-0755
MD5 | 44c606ddd4aece1d53887c9140628a82
Microsoft Windows CmpAddRemoveContainerToCLFSLog Arbitrary File / Directory Creation
Posted Jun 24, 2019
Authored by James Forshaw, Google Security Research

Microsoft Windows suffers from a CmpAddRemoveContainerToCLFSLog arbitrary file and directory creation vulnerability that allows for elevation of privilege.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2019-0755
MD5 | d2b73dca2b8642efcc867ea985e64304
Microsoft Windows CmKeyBodyRemapToVirtualForEnum Arbitrary Key Enumeration
Posted May 21, 2019
Authored by James Forshaw, Google Security Research

The Microsoft Windows kernel's Registry Virtualization does not safely open the real key for a virtualization location leading to enumerating arbitrary keys resulting in privilege escalation.

tags | exploit, arbitrary, kernel, registry
systems | windows
advisories | CVE-2019-0881
MD5 | b9ac41d7a345cbb537b2a935197cf91b
VirtualBox COM RPC Interface Code Injection / Privilege Escalation
Posted Apr 24, 2019
Authored by James Forshaw, Google Security Research

The hardened VirtualBox process on a Windows host does not secure its COM interface leading to arbitrary code injection and elevation of privilege.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2017-10204
MD5 | d89a703071dfda548e916560bbdf3ffe
Microsoft Windows LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition
Posted Apr 16, 2019
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the LUAFV driver has a race condition in the LuafvPostReadWrite callback if delay virtualization has occurred during a read leading to the SECTION_OBJECT_POINTERS value being reset to the underlying file resulting in elevation of privilege.

tags | exploit
systems | windows
advisories | CVE-2019-0836
MD5 | 6d02ec8a84f62a9cf2ee150b26a8f78a
Microsoft Windows LUAFV Delayed Virtualization Cache Manager Poisoning Privilege Escalation
Posted Apr 16, 2019
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the LUAFV driver can confuse the cache and memory manager to replace the contents of privileged file leading to elevation of privilege.

tags | exploit
systems | windows
advisories | CVE-2019-0805
MD5 | 77b361493b8c0d502d033818bd814a0b
Microsoft Windows LUAFV NtSetCachedSigningLevel Device Guard Bypass
Posted Apr 16, 2019
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the NtSetCachedSigningLevel system call can be tricked by the operation of LUAFV to apply a cached signature to an arbitrary file leading to a bypass of code signing enforcement under UMCI with Device Guard.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2019-0732
MD5 | c842665e8c982e999825c50d9c78df7a
Microsoft Windows LUAFV LuafvCopyShortName Arbitrary Short Name Privilege Escalation
Posted Apr 16, 2019
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the LUAFV driver bypasses security checks to copy short names during file virtualization which can be tricked into writing an arbitrary short name leading to elevation of privilege.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2019-0796
MD5 | dd49da95f51474f4c5e19bc2d1015952
Microsoft Windows LUAFV Delayed Virtualization Cross Process Handle Duplication Privilege Escalation
Posted Apr 16, 2019
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the LUAFV driver doesn't take into account a virtualized handle being duplicated to a more privileged process resulting in elevation of privilege.

tags | exploit
systems | windows
advisories | CVE-2019-0731
MD5 | a1fec4a7c7f902a8a18eb1e16515b938
Microsoft Windows LUAFV Delayed Virtualization MAXIMUM_ACCESS DesiredAccess Privilege Escalation
Posted Apr 16, 2019
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the LUAFV driver reuses the file's create request DesiredAccess parameter, which can include MAXIMUM_ACCESS, when virtualizing a file resulting in elevation of privilege.

tags | exploit
systems | windows
advisories | CVE-2019-0730
MD5 | 3cb71794adeb390f66e06400fdb22445
Microsoft Windows CSRSS SxSSrv Cached Manifest Privilege Escalation
Posted Apr 16, 2019
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the SxS manifest cache in CSRSS uses a weak key allowing an attacker to fill a cache entry for a system binary leading to elevation of privilege.

tags | exploit
systems | windows
advisories | CVE-2019-0735
MD5 | 9f3bf345b40d34f07347582eafa1a2c3
VMware Host VMX Process COM Class Hijack Privilege Escalation
Posted Mar 25, 2019
Authored by James Forshaw, Google Security Research

The VMX process (vmware-vmx.exe) process configures and hosts an instance of VM. As is common with desktop virtualization platforms the VM host usually has privileged access into the OS such as mapping physical memory which represents a security risk. To mitigate this the VMX process is created with an elevated integrity level by the authentication daemon (vmware-authd.exe) which runs at SYSTEM. This prevents a non-administrator user opening the process and abusing its elevated access. Unfortunately the process is created as the desktop user which results in the elevated process sharing resources such as COM registrations with the normal user who can modify the registry to force an arbitrary DLL to be loaded into the VMX process. Affects VMware Workstation Windows version 14.1.5 (on Windows 10). Also tested on VMware Player version 15.

tags | exploit, arbitrary, registry
systems | windows
advisories | CVE-2019-5512
MD5 | 89f47ed75e40cece6cb2c49cd4ca6364
Page 1 of 4
Back1234Next

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    1 Files
  • 20
    Sep 20th
    1 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    21 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close