Microsoft Windows suffers from an insecure CSharedStream object privilege escalation vulnerability.
9abd67b8467f3e60623b8e86d9c7f4d8fade22c3b12d417cba3715c52580f6f9The NTFS driver supports a new FS control code to set a mount point which the existing sandbox mitigation doesn't support allowing a sandboxed application to set an arbitrary mount point symbolic link.
5e9c5121a127979454b72fcbedbeaf8818d0f391241fc1114f924d8d9e628a56On Microsoft Windows, the RPCSS Activation Kernel RPC server's security callback can be bypassed resulting in elevation of privilege.
8798d39be121b1ca424688b64bf7499391b79aa9b2b31c8a56654a285be15b2eThere exists a privilege escalation vulnerability for Windows 10 builds prior to build 17763. Due to the AppXSvc's improper handling of hard links, a user can gain full privileges over a SYSTEM-owned file. The user can then utilize the new file to execute code as SYSTEM. This Metasploit module employs a technique using the Diagnostics Hub Standard Collector Service (DiagHub) which was discovered by James Forshaw to load and execute a DLL as SYSTEM.
768fb56de1ec7de8dd28e560c3995953fbeca7925352b92e82d879e144ae0251The Windows Font Cache Service exposes section objects insecurely to low privileged users resulting in elevation of privilege.
dcd4603b5df7584c96b28ba89a54652b0a598775dce738ad4fce99ceb40bfde3Microsoft Windows suffers from a CmpAddRemoveContainerToCLFSLog arbitrary file and directory creation vulnerability that allows for elevation of privilege.
e9fe2f31e8d857a922afac6a9b0dc08c238b42596dd0c0b56fd16a1c45e94752The Microsoft Windows kernel's Registry Virtualization does not safely open the real key for a virtualization location leading to enumerating arbitrary keys resulting in privilege escalation.
36e4c1600341712dd48481dde14154b5ae9680dbb41cdfae332f3ee20e766b99The hardened VirtualBox process on a Windows host does not secure its COM interface leading to arbitrary code injection and elevation of privilege.
e46258bb33069de1c03e75f59d382519239af32450b9b51519f9c219934851b9On Microsoft Windows, the LUAFV driver has a race condition in the LuafvPostReadWrite callback if delay virtualization has occurred during a read leading to the SECTION_OBJECT_POINTERS value being reset to the underlying file resulting in elevation of privilege.
1e8cd54d3c2d772976524e371c95b1d714210d40f0a02d7fb49facede63a5c9eOn Microsoft Windows, the LUAFV driver can confuse the cache and memory manager to replace the contents of privileged file leading to elevation of privilege.
2f0783d66d46e920f1e358cb270db27803dfe9308027b531f607dbab38974980On Microsoft Windows, the NtSetCachedSigningLevel system call can be tricked by the operation of LUAFV to apply a cached signature to an arbitrary file leading to a bypass of code signing enforcement under UMCI with Device Guard.
5e11646fa10b0479415382c2a97eb9d01f2462f9f48431fe8f465de293d45f36On Microsoft Windows, the LUAFV driver bypasses security checks to copy short names during file virtualization which can be tricked into writing an arbitrary short name leading to elevation of privilege.
72c0e2e26c794f1e484bea3169422e90d36accc9e727f3f347fdeb0418dabcbcOn Microsoft Windows, the LUAFV driver doesn't take into account a virtualized handle being duplicated to a more privileged process resulting in elevation of privilege.
aa83f4bf9c9d7ac15d9c50d8e2eb520ebe906895d7841085259cbda854780e60On Microsoft Windows, the LUAFV driver reuses the file's create request DesiredAccess parameter, which can include MAXIMUM_ACCESS, when virtualizing a file resulting in elevation of privilege.
c6698b041f1966005a9d6cd5b1e2888b8cb194d1fd4f68b6863494c7a26ab4e6On Microsoft Windows, the SxS manifest cache in CSRSS uses a weak key allowing an attacker to fill a cache entry for a system binary leading to elevation of privilege.
ad66ed46b7b1347ea52c8af3e54cce2e72fd812fa5124a8d4ad94efa3452229cThe VMX process (vmware-vmx.exe) process configures and hosts an instance of VM. As is common with desktop virtualization platforms the VM host usually has privileged access into the OS such as mapping physical memory which represents a security risk. To mitigate this the VMX process is created with an elevated integrity level by the authentication daemon (vmware-authd.exe) which runs at SYSTEM. This prevents a non-administrator user opening the process and abusing its elevated access. Unfortunately the process is created as the desktop user which results in the elevated process sharing resources such as COM registrations with the normal user who can modify the registry to force an arbitrary DLL to be loaded into the VMX process. Affects VMware Workstation Windows version 14.1.5 (on Windows 10). Also tested on VMware Player version 15.
032bc0791aa032c4cf3fd94b8d7db2846f5bc0d3465f7a023e94a81286eb18ffThe VMX process (vmware-vmx.exe) process configures and hosts an instance of VM. As is common with desktop virtualization platforms the VM host usually has privileged access into the OS such as mapping physical memory which represents a security risk. To mitigate this the VMX process is created with an elevated integrity level by the authentication daemon (vmware-authd.exe) which runs at SYSTEM. This prevents a non-administrator user opening the process and abusing its elevated access. Unfortunately the process is created as the desktop user and follows the common pattern of impersonating the user while calling CreateProcessAsUser. This is an issue as the user has the ability to replace any drive letter for themselves, which allows a non-admin user to hijack the path to the VMX executable, allowing the user to get arbitrary code running as a trusted VMX process. Affects VMware Workstation Windows version 14.1.5 (on Windows 10). Also tested on VMware Player version 15.0.2.
770beade272f39c1d6868fdb30316cb00f9c1a560eb4acdbffe3b9df7efe3b3bMSHTML only checks for the CLSID associated with VBScript when blocking in the Internet Zone, but doesn't check other VBScript CLSIDs which allow a web page to bypass the security zone policy.
a033e526788dc652d88a6718933e8da263d965274cd8d51465eee224f1f23696A number of Partial Trust Windows Runtime classes expose the XmlDocument class across process boundaries to less privileged callers which in its current form can be used to elevate privileges and escape the Edge Content LPAC sandbox.
c424c234f0bbbf82e0e97152ab4029060170b5ecdc5e371726a2bbc2a62a4a45The WinRT RestrictedErrorInfo does not correctly check the validity of a handle to a section object which results in closing an unrelated handle which can lead to an elevation of privilege.
7368ae1fbc7a1684f268e0456e118a6d77785b364e0f6b92f66b35659a90b7d1Microsoft Windows suffers from a COM Desktop Broker privilege escalation vulnerability.
33a511953b339dc0e1972b9e5d70cb061f5535f1c28bf05b53b610d61a34b5d1Microsoft Windows suffers from a Browser Broker cross session privilege escalation vulnerability.
ddd82e45b38c10a4ea474a1a2c6d6d87babb509f675225dd4f8c79a227f6ebe5Microsoft Windows suffers from DSSVC MoveFileInheritSecurity privilege escalation vulnerabilities.
c403ab30a837b3f505f24f68d4d313a67648ce8506b418b5d1d397758b14e447Microsoft Windows suffers from a DSSVC CanonicalAndValidateFilePath security feature bypass vulnerability.
9dbf65e12230e4a56a60b5f390ba44d4ebb6405dadefa61686dc490863c23434Microsoft Windows suffers from a DSSVC DSOpenSharedFile arbitrary file delete privilege escalation vulnerability.
9c68ae659efdc195a9f1126b01360504d6b3962f9a0e23c78ea8993666786e4e
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed