what you don't know can hurt you
Showing 1 - 25 of 71 RSS Feed

Files from James Forshaw

Email addressforshaw at google.com
First Active2011-08-11
Last Active2019-04-16
Microsoft Windows LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition
Posted Apr 16, 2019
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the LUAFV driver has a race condition in the LuafvPostReadWrite callback if delay virtualization has occurred during a read leading to the SECTION_OBJECT_POINTERS value being reset to the underlying file resulting in elevation of privilege.

tags | exploit
systems | windows
advisories | CVE-2019-0836
MD5 | 6d02ec8a84f62a9cf2ee150b26a8f78a
Microsoft Windows LUAFV Delayed Virtualization Cache Manager Poisoning Privilege Escalation
Posted Apr 16, 2019
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the LUAFV driver can confuse the cache and memory manager to replace the contents of privileged file leading to elevation of privilege.

tags | exploit
systems | windows
advisories | CVE-2019-0805
MD5 | 77b361493b8c0d502d033818bd814a0b
Microsoft Windows LUAFV NtSetCachedSigningLevel Device Guard Bypass
Posted Apr 16, 2019
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the NtSetCachedSigningLevel system call can be tricked by the operation of LUAFV to apply a cached signature to an arbitrary file leading to a bypass of code signing enforcement under UMCI with Device Guard.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2019-0732
MD5 | c842665e8c982e999825c50d9c78df7a
Microsoft Windows LUAFV LuafvCopyShortName Arbitrary Short Name Privilege Escalation
Posted Apr 16, 2019
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the LUAFV driver bypasses security checks to copy short names during file virtualization which can be tricked into writing an arbitrary short name leading to elevation of privilege.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2019-0796
MD5 | dd49da95f51474f4c5e19bc2d1015952
Microsoft Windows LUAFV Delayed Virtualization Cross Process Handle Duplication Privilege Escalation
Posted Apr 16, 2019
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the LUAFV driver doesn't take into account a virtualized handle being duplicated to a more privileged process resulting in elevation of privilege.

tags | exploit
systems | windows
advisories | CVE-2019-0731
MD5 | a1fec4a7c7f902a8a18eb1e16515b938
Microsoft Windows LUAFV Delayed Virtualization MAXIMUM_ACCESS DesiredAccess Privilege Escalation
Posted Apr 16, 2019
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the LUAFV driver reuses the file's create request DesiredAccess parameter, which can include MAXIMUM_ACCESS, when virtualizing a file resulting in elevation of privilege.

tags | exploit
systems | windows
advisories | CVE-2019-0730
MD5 | 3cb71794adeb390f66e06400fdb22445
Microsoft Windows CSRSS SxSSrv Cached Manifest Privilege Escalation
Posted Apr 16, 2019
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the SxS manifest cache in CSRSS uses a weak key allowing an attacker to fill a cache entry for a system binary leading to elevation of privilege.

tags | exploit
systems | windows
advisories | CVE-2019-0735
MD5 | 9f3bf345b40d34f07347582eafa1a2c3
VMware Host VMX Process COM Class Hijack Privilege Escalation
Posted Mar 25, 2019
Authored by James Forshaw, Google Security Research

The VMX process (vmware-vmx.exe) process configures and hosts an instance of VM. As is common with desktop virtualization platforms the VM host usually has privileged access into the OS such as mapping physical memory which represents a security risk. To mitigate this the VMX process is created with an elevated integrity level by the authentication daemon (vmware-authd.exe) which runs at SYSTEM. This prevents a non-administrator user opening the process and abusing its elevated access. Unfortunately the process is created as the desktop user which results in the elevated process sharing resources such as COM registrations with the normal user who can modify the registry to force an arbitrary DLL to be loaded into the VMX process. Affects VMware Workstation Windows version 14.1.5 (on Windows 10). Also tested on VMware Player version 15.

tags | exploit, arbitrary, registry
systems | windows
advisories | CVE-2019-5512
MD5 | 89f47ed75e40cece6cb2c49cd4ca6364
VMware Host VMX Process Impersonation Hijack Privilege Escalation
Posted Mar 25, 2019
Authored by James Forshaw, Google Security Research

The VMX process (vmware-vmx.exe) process configures and hosts an instance of VM. As is common with desktop virtualization platforms the VM host usually has privileged access into the OS such as mapping physical memory which represents a security risk. To mitigate this the VMX process is created with an elevated integrity level by the authentication daemon (vmware-authd.exe) which runs at SYSTEM. This prevents a non-administrator user opening the process and abusing its elevated access. Unfortunately the process is created as the desktop user and follows the common pattern of impersonating the user while calling CreateProcessAsUser. This is an issue as the user has the ability to replace any drive letter for themselves, which allows a non-admin user to hijack the path to the VMX executable, allowing the user to get arbitrary code running as a trusted VMX process. Affects VMware Workstation Windows version 14.1.5 (on Windows 10). Also tested on VMware Player version 15.0.2.

tags | exploit
systems | windows
advisories | CVE-2018-5511
MD5 | c70a9a606361322046a94717d41168b1
Microsoft Windows IE11 VBScript Execution Policy Bypass In MSHTML
Posted Mar 19, 2019
Authored by James Forshaw, Google Security Research

MSHTML only checks for the CLSID associated with VBScript when blocking in the Internet Zone, but doesn't check other VBScript CLSIDs which allow a web page to bypass the security zone policy.

tags | exploit, web
advisories | CVE-2019-0768
MD5 | 584cf23d79ac670ff438b7731597d0f4
Microsoft Windows XmlDocument Insecure Sharing Privilege Escalation
Posted Jan 16, 2019
Authored by James Forshaw, Google Security Research

A number of Partial Trust Windows Runtime classes expose the XmlDocument class across process boundaries to less privileged callers which in its current form can be used to elevate privileges and escape the Edge Content LPAC sandbox.

tags | exploit
systems | windows
advisories | CVE-2019-0555
MD5 | 397ad74317743a7207220aa6b8785b70
Microsoft Windows RestrictedErrorInfo Unmarshal Section Handle Use-After-Free
Posted Jan 16, 2019
Authored by James Forshaw, Google Security Research

The WinRT RestrictedErrorInfo does not correctly check the validity of a handle to a section object which results in closing an unrelated handle which can lead to an elevation of privilege.

tags | exploit
advisories | CVE-2019-0570
MD5 | 2dc1425b83ba55c550113e0d3f7b4578
Microsoft Windows COM Desktop Broker Privilege Escalation
Posted Jan 15, 2019
Authored by James Forshaw, Google Security Research

Microsoft Windows suffers from a COM Desktop Broker privilege escalation vulnerability.

tags | exploit
systems | windows
advisories | CVE-2019-0552
MD5 | 33bec631eeba1af2a94a0e9dbba06bd0
Microsoft Windows Browser Broker Cross Session Privilege Escalation
Posted Jan 15, 2019
Authored by James Forshaw, Google Security Research

Microsoft Windows suffers from a Browser Broker cross session privilege escalation vulnerability.

tags | exploit
systems | windows
advisories | CVE-2019-0566
MD5 | 229198c64a95f918f122595f4ee355a9
Microsoft Windows DSSVC MoveFileInheritSecurity Privilege Escalation
Posted Jan 15, 2019
Authored by James Forshaw, Google Security Research

Microsoft Windows suffers from DSSVC MoveFileInheritSecurity privilege escalation vulnerabilities.

tags | exploit, vulnerability
systems | windows
advisories | CVE-2019-0574
MD5 | 66e30ac5fe6b293e058c5267f533b4ef
Microsoft Windows DSSVC CanonicalAndValidateFilePath Security Feature Bypass
Posted Jan 15, 2019
Authored by James Forshaw, Google Security Research

Microsoft Windows suffers from a DSSVC CanonicalAndValidateFilePath security feature bypass vulnerability.

tags | exploit, bypass
systems | windows
advisories | CVE-2019-0571
MD5 | 47b391aa29c8007a02ea421b578013c9
Microsoft Windows DSSVC DSOpenSharedFile Arbitrary File Delete Privilege Escalation
Posted Jan 15, 2019
Authored by James Forshaw, Google Security Research

Microsoft Windows suffers from a DSSVC DSOpenSharedFile arbitrary file delete privilege escalation vulnerability.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2019-0573
MD5 | b222cf88f9572d3d9f640ba2ca02e3d4
Microsoft Windows DSSVC DSOpenSharedFile Arbitrary File Open Privilege Escalation
Posted Jan 15, 2019
Authored by James Forshaw, Google Security Research

Microsoft Windows suffers from a DSSVC DSOpenSharedFile arbitrary file open privilege escalation vulnerability.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2019-0572
MD5 | bb2e921fb41ce1f0d91dd85e884db5f2
Microsoft Windows SSPI Network Authentication Session 0 Privilege Escalation
Posted Jan 15, 2019
Authored by James Forshaw, Google Security Research

Microsoft Windows suffers from an SSPI network authentication session 0 privilege escalation vulnerability.

tags | exploit
systems | windows
advisories | CVE-2019-0543
MD5 | 983731eb8f0ab4d5e06fd6f0de137c76
Microsoft Windows DSSVC CheckFilePermission Arbitrary File Deletion
Posted Jan 8, 2019
Authored by James Forshaw, Google Security Research

Microsoft Windows suffers from a privilege escalation vulnerability. The Data Sharing Service does not has a TOCTOU in PolicyChecker::CheckFilePermission resulting in an arbitrary file deletion.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2018-8584
MD5 | bd93c9fa1baa36c07dad7069c043ffd7
McAfee True Key 5.1.173.1 Privilege Escalation
Posted Dec 11, 2018
Authored by James Forshaw, Google Security Research

McAfee True Key version 5.1.173.1 on Windows 10 1809 has multiple issues in the implementation of the McAfee.TrueKey.Service which can result in privilege escalation through executing arbitrary processes or deleting files and directories.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2018-6755, CVE-2018-6756, CVE-2018-6757
MD5 | f1a320f91998eaef2cba50213365ef59
Microsoft Windows Unnamed Kernel Object Privilege Escalation
Posted Nov 20, 2018
Authored by James Forshaw, Google Security Research

Microsoft Windows 10 1803 and 1809 have an issue with unnamed kernel object creation. It's possible to default the security descriptor owner or mandatory label to the value from an Identification level impersonation token leading to elevation of privilege.

tags | exploit, kernel
systems | windows
MD5 | ef10a4d238e0690bde490f41457b96fe
Microsoft Windows DfMarshal Unsafe Unmarshaling Privilege Escalation
Posted Nov 20, 2018
Authored by James Forshaw, Google Security Research

Microsoft Windows 10 1803 suffers from a DfMarshal unsafe unmarshaling elevation of privilege vulnerability.

tags | exploit
systems | windows
advisories | CVE-2018-8550
MD5 | 09ad3ab8d6e51e9b91013505bdb58986
Microsoft Windows FSCTL_FIND_FILES_BY_SID Information Disclosure
Posted Oct 16, 2018
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the FSCTL_FIND_FILES_BY_SID control code does not check for permissions to list a directory leading to disclosure of file names when a user is not granted FILE_LIST_DIRECTORY access.

tags | exploit
systems | windows
advisories | CVE-2018-8411
MD5 | 1ad1fd11e41df6d259aeb00e3e6cc367
Microsoft Windows NtEnumerateKey Privilege Escalation
Posted Sep 19, 2018
Authored by James Forshaw, Google Security Research

Microsoft Windows suffers from a double dereference in NtEnumerateKey that leads to elevation of privilege.

tags | exploit
systems | windows
advisories | CVE-2018-8410
MD5 | 4f74d58bd627bf009b466bba6d3ced66
Page 1 of 3
Back123Next

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close