Microsoft Windows suffers from an insecure CSharedStream object privilege escalation vulnerability.
9abd67b8467f3e60623b8e86d9c7f4d8fade22c3b12d417cba3715c52580f6f9
The NTFS driver supports a new FS control code to set a mount point which the existing sandbox mitigation doesn't support allowing a sandboxed application to set an arbitrary mount point symbolic link.
5e9c5121a127979454b72fcbedbeaf8818d0f391241fc1114f924d8d9e628a56
On Microsoft Windows, the RPCSS Activation Kernel RPC server's security callback can be bypassed resulting in elevation of privilege.
8798d39be121b1ca424688b64bf7499391b79aa9b2b31c8a56654a285be15b2e
There exists a privilege escalation vulnerability for Windows 10 builds prior to build 17763. Due to the AppXSvc's improper handling of hard links, a user can gain full privileges over a SYSTEM-owned file. The user can then utilize the new file to execute code as SYSTEM. This Metasploit module employs a technique using the Diagnostics Hub Standard Collector Service (DiagHub) which was discovered by James Forshaw to load and execute a DLL as SYSTEM.
768fb56de1ec7de8dd28e560c3995953fbeca7925352b92e82d879e144ae0251
The Windows Font Cache Service exposes section objects insecurely to low privileged users resulting in elevation of privilege.
dcd4603b5df7584c96b28ba89a54652b0a598775dce738ad4fce99ceb40bfde3
Microsoft Windows suffers from a CmpAddRemoveContainerToCLFSLog arbitrary file and directory creation vulnerability that allows for elevation of privilege.
e9fe2f31e8d857a922afac6a9b0dc08c238b42596dd0c0b56fd16a1c45e94752
The Microsoft Windows kernel's Registry Virtualization does not safely open the real key for a virtualization location leading to enumerating arbitrary keys resulting in privilege escalation.
36e4c1600341712dd48481dde14154b5ae9680dbb41cdfae332f3ee20e766b99
The hardened VirtualBox process on a Windows host does not secure its COM interface leading to arbitrary code injection and elevation of privilege.
e46258bb33069de1c03e75f59d382519239af32450b9b51519f9c219934851b9
On Microsoft Windows, the LUAFV driver has a race condition in the LuafvPostReadWrite callback if delay virtualization has occurred during a read leading to the SECTION_OBJECT_POINTERS value being reset to the underlying file resulting in elevation of privilege.
1e8cd54d3c2d772976524e371c95b1d714210d40f0a02d7fb49facede63a5c9e
On Microsoft Windows, the LUAFV driver can confuse the cache and memory manager to replace the contents of privileged file leading to elevation of privilege.
2f0783d66d46e920f1e358cb270db27803dfe9308027b531f607dbab38974980
On Microsoft Windows, the NtSetCachedSigningLevel system call can be tricked by the operation of LUAFV to apply a cached signature to an arbitrary file leading to a bypass of code signing enforcement under UMCI with Device Guard.
5e11646fa10b0479415382c2a97eb9d01f2462f9f48431fe8f465de293d45f36
On Microsoft Windows, the LUAFV driver bypasses security checks to copy short names during file virtualization which can be tricked into writing an arbitrary short name leading to elevation of privilege.
72c0e2e26c794f1e484bea3169422e90d36accc9e727f3f347fdeb0418dabcbc
On Microsoft Windows, the LUAFV driver doesn't take into account a virtualized handle being duplicated to a more privileged process resulting in elevation of privilege.
aa83f4bf9c9d7ac15d9c50d8e2eb520ebe906895d7841085259cbda854780e60
On Microsoft Windows, the LUAFV driver reuses the file's create request DesiredAccess parameter, which can include MAXIMUM_ACCESS, when virtualizing a file resulting in elevation of privilege.
c6698b041f1966005a9d6cd5b1e2888b8cb194d1fd4f68b6863494c7a26ab4e6
On Microsoft Windows, the SxS manifest cache in CSRSS uses a weak key allowing an attacker to fill a cache entry for a system binary leading to elevation of privilege.
ad66ed46b7b1347ea52c8af3e54cce2e72fd812fa5124a8d4ad94efa3452229c
The VMX process (vmware-vmx.exe) process configures and hosts an instance of VM. As is common with desktop virtualization platforms the VM host usually has privileged access into the OS such as mapping physical memory which represents a security risk. To mitigate this the VMX process is created with an elevated integrity level by the authentication daemon (vmware-authd.exe) which runs at SYSTEM. This prevents a non-administrator user opening the process and abusing its elevated access. Unfortunately the process is created as the desktop user which results in the elevated process sharing resources such as COM registrations with the normal user who can modify the registry to force an arbitrary DLL to be loaded into the VMX process. Affects VMware Workstation Windows version 14.1.5 (on Windows 10). Also tested on VMware Player version 15.
032bc0791aa032c4cf3fd94b8d7db2846f5bc0d3465f7a023e94a81286eb18ff
The VMX process (vmware-vmx.exe) process configures and hosts an instance of VM. As is common with desktop virtualization platforms the VM host usually has privileged access into the OS such as mapping physical memory which represents a security risk. To mitigate this the VMX process is created with an elevated integrity level by the authentication daemon (vmware-authd.exe) which runs at SYSTEM. This prevents a non-administrator user opening the process and abusing its elevated access. Unfortunately the process is created as the desktop user and follows the common pattern of impersonating the user while calling CreateProcessAsUser. This is an issue as the user has the ability to replace any drive letter for themselves, which allows a non-admin user to hijack the path to the VMX executable, allowing the user to get arbitrary code running as a trusted VMX process. Affects VMware Workstation Windows version 14.1.5 (on Windows 10). Also tested on VMware Player version 15.0.2.
770beade272f39c1d6868fdb30316cb00f9c1a560eb4acdbffe3b9df7efe3b3b
MSHTML only checks for the CLSID associated with VBScript when blocking in the Internet Zone, but doesn't check other VBScript CLSIDs which allow a web page to bypass the security zone policy.
a033e526788dc652d88a6718933e8da263d965274cd8d51465eee224f1f23696
A number of Partial Trust Windows Runtime classes expose the XmlDocument class across process boundaries to less privileged callers which in its current form can be used to elevate privileges and escape the Edge Content LPAC sandbox.
c424c234f0bbbf82e0e97152ab4029060170b5ecdc5e371726a2bbc2a62a4a45
The WinRT RestrictedErrorInfo does not correctly check the validity of a handle to a section object which results in closing an unrelated handle which can lead to an elevation of privilege.
7368ae1fbc7a1684f268e0456e118a6d77785b364e0f6b92f66b35659a90b7d1
Microsoft Windows suffers from a COM Desktop Broker privilege escalation vulnerability.
33a511953b339dc0e1972b9e5d70cb061f5535f1c28bf05b53b610d61a34b5d1
Microsoft Windows suffers from a Browser Broker cross session privilege escalation vulnerability.
ddd82e45b38c10a4ea474a1a2c6d6d87babb509f675225dd4f8c79a227f6ebe5
Microsoft Windows suffers from DSSVC MoveFileInheritSecurity privilege escalation vulnerabilities.
c403ab30a837b3f505f24f68d4d313a67648ce8506b418b5d1d397758b14e447
Microsoft Windows suffers from a DSSVC CanonicalAndValidateFilePath security feature bypass vulnerability.
9dbf65e12230e4a56a60b5f390ba44d4ebb6405dadefa61686dc490863c23434
Microsoft Windows suffers from a DSSVC DSOpenSharedFile arbitrary file delete privilege escalation vulnerability.
9c68ae659efdc195a9f1126b01360504d6b3962f9a0e23c78ea8993666786e4e