This Metasploit module leverages a UAC bypass (TokenMagic) in order to spawn a process/conduct a DLL hijacking attack to gain SYSTEM-level privileges. Windows 7 through Windows 10 1803 are affected.
3d550555fdb7911177d802cb18251bb90d83981e45b93f363dcca79c2f431810The Container Manager Service does not configure STORVSP correctly when opening mapped named pipes leading to privilege escalation.
a5a7b8a6d4d3bd869fe815693a71e3b3b160d9b0acd588ad9dce491050248edbThe Container Manager Service creates an AppContainer process without impersonating the access token leading to privilege escalation.
08b62d49ff9505e1affc60bfb3367e9f2636ae2e993c5a51f8abbccdae306e0fThe Container Manager Service does not impersonate the caller when granting access to virtual disk images leading to privilege escalation.
879e3f4ead07a6f0c0ca5da047994fe7b3ffb02391288f7bf38a0d4568aaee88The Container Manager Service accepts an access token provided by the user without verification allowing an arbitrary process to be created with another user identity leading to privilege escalation.
66a7b4179cd5c55e74f86503906a67a0fa110323561936f3ee59ec7929362af3Mozilla's Firefox 85 for Windows has a weak DACL for domain networks.
08a69b8cf9242eaeeea1530f769b9003a468a4abf7dde3f7e851a23a5711e542The access limit check for non-local admins when accessing the SCM remotely can be bypassed by requesting MAXIMUM_ALLOWED, leading to gaining access to start services etc.
16746b18385cb54ee8752675385f36fd0f42be0f74861d959ada5608511523c5Microsoft Windows Containers Host Registry Virtual Registry Provider does not correctly handle relative opens leading to a process in a server silo being able to access the host registry leading to elevation of privilege.
3a9b2da40f527338ce39bbd5dce9bee31cef6c99a0ff4669322be1889064b788The standard user ContainerUser in a Windows Container has elevated privileges and High integrity level which results in making it administrator equivalent even though it should be a restricted user.
b317a2978a717df92a18c59b704df44df5773c6029128d2cc21c45a42ecce392Microsoft Windows has an issue with containers where the kernel incorrectly chooses the wrong silo when looking up the root object manager directory leading to elevation of privilege.
61ec9b60807f6d6645a727c024eefbec09106b0d698526164dadbe9308577687Microsoft Windows has a privilege escalation vulnerability. When a process is running in a server silo, the checks for trusted hive registry key symbolic links is disabled leading to elevation of privilege.
6bfe0cdda02d4fbe057af9ecc41a80c96bb55fbaab78a5397b48afe2eb1905a5The Microsoft Windows WOF filter driver does not correctly handle the reparse point setting which allows for an arbitrary file to be cached signed leading to a bypass of UMCI.
f7187a580ed5ddc20b2b930a86832d7b24cd31f5db3e5cf9d99b3c13774e00eeThe Microsoft Windows Cloud Filter HsmOsBlockPlaceholderAccess function allows a user to create arbitrary registry keys in the .DEFAULT users hive leading to elevation of privilege.
74dc9ea6b122383e9da88cbc95551409a14569942eda9298a95b7107c556d891The Microsoft Windows Cloud Filter access check does not take into account restrictions such as Mandatory Labels allowing a user to bypass security checks.
ab13f889be67421c34dededae4d0f04228ed04132587c76532ade86b69862f9aThe Microsoft Windows Cloud Filter driver can be abused to create arbitrary files and directories leading to elevation of privilege.
9a3290c879be49aca14a16284ca357134f4661368bf483256ce8149957daef11Microsoft Windows suffers from a local spooler bypass vulnerability.
61c3a397ee51f0006b58ad2f59a3812935b74612177c4a79db2bb0053572084dThe StorageFolder class when used out of process can bypass security checks to read and write files not allowed to an AppContainer.
02e31b80fa05e9829fb35764d85806a69ec5db202f42ff20b112f3346433b2c8The CloundExperienceHostBroker hosts unsafe COM objects accessible to a normal user leading to elevation of privilege.
7888834d5b9f65c613c040c3ae903e13e111aac394ea82b8960fd0610e98dd60The handling of KTM logs when initializing a Registry Hive contains no bounds checks which results in privilege escalation.
0ae399542cc10a8ccc557083deb691282149c87bc3ab0445c6922d410bec88eeThe handling of KTM logs does not limit Registry Key operations to the loading hive leading to elevation of privilege.
dc36265f20912463478c32c5203d3f4e619cc492c989532a060ccc10362e3045On Microsoft Windows 10 1909, LSASS does not correctly enforce the Enterprise Authentication Capability which allows any AppContainer to perform network authentication with the user's credentials.
add2a6155569229eb72c46617e93a9349d033f14467cf27d02c0e25d3f347e94The Firefox content processes do not sufficiently lockdown access control which can result in a sandbox escape.
5ab57ea898f6984a1d902219e6b5dad81c2a3fda15ddd5b7b3e8b94690951fdaIn Microsoft Windows, by using the poorly documented SE_SERVER_SECURITY Control flag it is possible to set an owner different to the caller, bypassing security checks.
6190a41a4bab66c3d432306ebf9e46df8ad7f570d30d1ad5540b36c9729f1aa1Microsoft Windows suffers from an NtFilterToken ParentTokenId incorrect setting that allows for elevation of privileges.
698ed1c47976f1e2386429b605fead68fe0c4b0f58fb832281caf6e36f6add44The shared ShaderCache directory can be exploited to create an arbitrary file on the file system leading to elevation of privilege.
42972162199840d73133649daee92c612bd4f0e4d753af1fd1741e61308dea92
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed