This Metasploit module leverages a UAC bypass (TokenMagic) in order to spawn a process/conduct a DLL hijacking attack to gain SYSTEM-level privileges. Windows 7 through Windows 10 1803 are affected.
3d550555fdb7911177d802cb18251bb90d83981e45b93f363dcca79c2f431810
The Container Manager Service does not configure STORVSP correctly when opening mapped named pipes leading to privilege escalation.
a5a7b8a6d4d3bd869fe815693a71e3b3b160d9b0acd588ad9dce491050248edb
The Container Manager Service creates an AppContainer process without impersonating the access token leading to privilege escalation.
08b62d49ff9505e1affc60bfb3367e9f2636ae2e993c5a51f8abbccdae306e0f
The Container Manager Service does not impersonate the caller when granting access to virtual disk images leading to privilege escalation.
879e3f4ead07a6f0c0ca5da047994fe7b3ffb02391288f7bf38a0d4568aaee88
The Container Manager Service accepts an access token provided by the user without verification allowing an arbitrary process to be created with another user identity leading to privilege escalation.
66a7b4179cd5c55e74f86503906a67a0fa110323561936f3ee59ec7929362af3
Mozilla's Firefox 85 for Windows has a weak DACL for domain networks.
08a69b8cf9242eaeeea1530f769b9003a468a4abf7dde3f7e851a23a5711e542
The access limit check for non-local admins when accessing the SCM remotely can be bypassed by requesting MAXIMUM_ALLOWED, leading to gaining access to start services etc.
16746b18385cb54ee8752675385f36fd0f42be0f74861d959ada5608511523c5
Microsoft Windows Containers Host Registry Virtual Registry Provider does not correctly handle relative opens leading to a process in a server silo being able to access the host registry leading to elevation of privilege.
3a9b2da40f527338ce39bbd5dce9bee31cef6c99a0ff4669322be1889064b788
The standard user ContainerUser in a Windows Container has elevated privileges and High integrity level which results in making it administrator equivalent even though it should be a restricted user.
b317a2978a717df92a18c59b704df44df5773c6029128d2cc21c45a42ecce392
Microsoft Windows has an issue with containers where the kernel incorrectly chooses the wrong silo when looking up the root object manager directory leading to elevation of privilege.
61ec9b60807f6d6645a727c024eefbec09106b0d698526164dadbe9308577687
Microsoft Windows has a privilege escalation vulnerability. When a process is running in a server silo, the checks for trusted hive registry key symbolic links is disabled leading to elevation of privilege.
6bfe0cdda02d4fbe057af9ecc41a80c96bb55fbaab78a5397b48afe2eb1905a5
The Microsoft Windows WOF filter driver does not correctly handle the reparse point setting which allows for an arbitrary file to be cached signed leading to a bypass of UMCI.
f7187a580ed5ddc20b2b930a86832d7b24cd31f5db3e5cf9d99b3c13774e00ee
The Microsoft Windows Cloud Filter HsmOsBlockPlaceholderAccess function allows a user to create arbitrary registry keys in the .DEFAULT users hive leading to elevation of privilege.
74dc9ea6b122383e9da88cbc95551409a14569942eda9298a95b7107c556d891
The Microsoft Windows Cloud Filter access check does not take into account restrictions such as Mandatory Labels allowing a user to bypass security checks.
ab13f889be67421c34dededae4d0f04228ed04132587c76532ade86b69862f9a
The Microsoft Windows Cloud Filter driver can be abused to create arbitrary files and directories leading to elevation of privilege.
9a3290c879be49aca14a16284ca357134f4661368bf483256ce8149957daef11
Microsoft Windows suffers from a local spooler bypass vulnerability.
61c3a397ee51f0006b58ad2f59a3812935b74612177c4a79db2bb0053572084d
The StorageFolder class when used out of process can bypass security checks to read and write files not allowed to an AppContainer.
02e31b80fa05e9829fb35764d85806a69ec5db202f42ff20b112f3346433b2c8
The CloundExperienceHostBroker hosts unsafe COM objects accessible to a normal user leading to elevation of privilege.
7888834d5b9f65c613c040c3ae903e13e111aac394ea82b8960fd0610e98dd60
The handling of KTM logs when initializing a Registry Hive contains no bounds checks which results in privilege escalation.
0ae399542cc10a8ccc557083deb691282149c87bc3ab0445c6922d410bec88ee
The handling of KTM logs does not limit Registry Key operations to the loading hive leading to elevation of privilege.
dc36265f20912463478c32c5203d3f4e619cc492c989532a060ccc10362e3045
On Microsoft Windows 10 1909, LSASS does not correctly enforce the Enterprise Authentication Capability which allows any AppContainer to perform network authentication with the user's credentials.
add2a6155569229eb72c46617e93a9349d033f14467cf27d02c0e25d3f347e94
The Firefox content processes do not sufficiently lockdown access control which can result in a sandbox escape.
5ab57ea898f6984a1d902219e6b5dad81c2a3fda15ddd5b7b3e8b94690951fda
In Microsoft Windows, by using the poorly documented SE_SERVER_SECURITY Control flag it is possible to set an owner different to the caller, bypassing security checks.
6190a41a4bab66c3d432306ebf9e46df8ad7f570d30d1ad5540b36c9729f1aa1
Microsoft Windows suffers from an NtFilterToken ParentTokenId incorrect setting that allows for elevation of privileges.
698ed1c47976f1e2386429b605fead68fe0c4b0f58fb832281caf6e36f6add44
The shared ShaderCache directory can be exploited to create an arbitrary file on the file system leading to elevation of privilege.
42972162199840d73133649daee92c612bd4f0e4d753af1fd1741e61308dea92