Microsoft Windows suffers from a Desktop Bridge Virtual Registry NtLoadKey arbitrary file read / write privilege escalation vulnerability.
8f2f9e0389c7548dbde759deeba68e5cd3a12fc66f9fb82eef907f69b1ca9eb7
Microsoft Windows suffers from a Desktop Bridge Virtual Registry arbitrary file read / write privilege escalation vulnerability.
e524422547b177b8b51dff37c1fe898479cd8d33e5a29bcaa8940ba138b96b32
The Microsoft Windows kernel suffers from a 64-bit pool memory disclosure vulnerability via REG_RESOURCE_REQUIREMENTS_LIST registry values.
1550cc46fe7a3f57880f07c2504a93b23de2428f61b09def06cbb61cf5b64e8a
The Microsoft Windows kernel suffers from a 64-bit pool memory disclosure vulnerability via REG_RESOURCE_LIST registry values (videoprt.sys descriptors).
69b444dc190f17c0fe398e83b60a8120337dbed1b5a38f5316df706a0d50461d
The Microsoft Windows kernel suffers from a 64-bit pool memory disclosure vulnerability via REG_RESOURCE_LIST registry values (CmResourceTypeDevicePrivate entries).
2f32ed721390c6207af8dde961475d5f6dd8d7e5007722aeec53608034508481
Asterisk Project Security Advisory - The RTP support in Asterisk maintains its own registry of dynamic codecs and desired payload numbers. While an SDP negotiation may result in a codec using a different payload number these desired ones are still stored internally. When an RTP packet was received this registry would be consulted if the payload number was not found in the negotiated SDP. This registry was incorrectly consulted for all packets, even those which are dynamic. If the payload number resulted in a codec of a different type than the RTP stream (for example the payload number resulted in a video codec but the stream carried audio) a crash could occur if no stream of that type had been negotiated. This was due to the code incorrectly assuming that a stream of the type would always exist.
7deda55a35acebe5f67e42485b2042572f1941ee107a31867433c7a487a737c0
FortiClient stores the VPN authentication credentials in a configuration file (on Linux or Mac OSX) or in registry (on Windows). The credentials are encrypted but can still be recovered since the decryption key is hardcoded in the program and the same on all installations. Above all, the aforementioned storage is world readable, which actually lays the foundation for the credential recovery. Versions prior to 4.4.2335 on Linux, 5.6.1 on Windows, and 5.6.1 on Mac OSX are vulnerable.
e979475b106297fb2dc050e554be589a58bf126c0e7adb1e3495fc242851917d
Oracle Java SE installs a protocol handler in the registry as "HKEY_CLASSES_ROOT\jnlp\Shell\Open\Command\Default" 'C:\Program Files\Java\jre1.8.0_131\bin\jp2launcher.exe" -securejws "%1"'. This can allow allow an attacker to launch remote jnlp files with little user interaction. A malicious jnlp file containing a crafted XML XXE attack can be leveraged to disclose files, cause a denial of service or trigger SSRF. Versions v8u131 and below are affected.
95eeae9eabde4f8ff4be6539a758b833f6a5e74bc86b983863634a6eabcb0b56
Red Hat Security Advisory 2017-2603-01 - The docker-distribution package provides the tool set to support the Docker Registry version 2. The following packages have been upgraded to a later upstream version: docker-distribution. Security Fix: It was found that docker-distribution did not properly restrict memory allocation size for a registry instance through the manifest endpoint. An attacker could send a specially crafted request that would exhaust the memory of the docker-distribution service.
53ec734f6192f5f8bc52081327df866de68ca105552e577631b99de82e6ea719
This Metasploit module will bypass Windows UAC by creating COM handler registry entries in the HKCU hive. When certain high integrity processes are loaded, these registry entries are referenced resulting in the process loading user-controlled DLLs. These DLLs contain the payloads that result in elevated sessions. Registry key modifications are cleaned up after payload invocation. This Metasploit module requires the architecture of the payload to match the OS, but the current low-privilege Meterpreter session architecture can be different. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process. This Metasploit module invokes the target binary via cmd.exe on the target. Therefore if cmd.exe access is restricted, this module will not run correctly.
5643c9d59dd3082682db29197c72dec6efcfecef92c481633dd466d8973ffddb
Red Hat Security Advisory 2017-2424-01 - The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: It was discovered that the DCG implementation in the RMI component of OpenJDK failed to correctly handle references. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. Multiple flaws were discovered in the RMI, JAXP, ImageIO, Libraries, AWT, Hotspot, and Security components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions.
324dc935f9f63578837b9393e96e87eaa7c0668e94af4e508c55421246d2aa72
Red Hat Security Advisory 2017-1789-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: It was discovered that the DCG implementation in the RMI component of OpenJDK failed to correctly handle references. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. Multiple flaws were discovered in the RMI, JAXP, ImageIO, Libraries, AWT, Hotspot, and Security components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions.
76628dadd7f569e118fab99cce8ff2b666334e4fb2a442575297edf2ee19eb19
This Metasploit module will bypass Windows 10 UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC flag turned off. This Metasploit module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.
c734bdb09edf5376d5107b207ff1878647e190574e19ad03d2b4f421847dc7b9
Red Hat Security Advisory 2017-0269-01 - The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. This issue was addressed by introducing whitelists of classes that can be deserialized by RMI registry or DCG. These whitelists can be customized using the newly introduced sun.rmi.registry.registryFilter and sun.rmi.transport.dgcFilter security properties.
a21fd41c808b6aa885c14600c8570e57296cb524081c9778b48c723d181b5111
Red Hat Security Advisory 2017-0180-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. This issue was addressed by introducing whitelists of classes that can be deserialized by RMI registry or DCG. These whitelists can be customized using the newly introduced sun.rmi.registry.registryFilter and sun.rmi.transport.dgcFilter security properties.
817d786f6fcaf819d3a9638047776f9eaf7da5c64cde447e1fc2ba1a969a4ba5
This Metasploit module is an implementation of fileless uac bypass using cmd.exe instead of powershell.exe (OJ msf module). This module will create the required registry entry in the current user's hive, set the default value to whatever you pass via the EXEC_COMMAND parameter, and runs eventvwr.exe (hijacking the process being started to gain code execution).
71a3e1287baa3b08f46554d9f2e3a7bd801f903a60a53f43baedfb3420e5dc82
Mac OS suffers from a kernel code execution vulnerability due to writable privileged IOKit registry properties.
a68b5ccbfb9fc13755fd889600a87bb8e5605b88270d85bc52f265ebd895419a
This Metasploit module will bypass Windows UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows Event Viewer is launched. It will spawn a second shell that has the UAC flag turned off. This Metasploit module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.
9f324275d7747e6056b99457eba72507d809e7fdc4d2bbdb300c55c482595517
A Windows kernel crash can occur in the nt!RtlEqualSid function invoked through nt!SeAccessCheck by nt!CmpCheckSecurityCellAccess while loading corrupted registry hive files.
5395350a5bb6db06990997f9489cc97555596c3fb508d3b40ddb43659f993001
Windows Kernel Registry Hive loading suffers from a relative arbitrary read in nt!RtlValidRelativeSecurityDescriptor.
80a4978abef184559535ad2ead860cee8b31861865e4e2ed0144052443414e35
Windows Kernel Registry Hive loading suffers from a negative RtlMoveMemory size in nt!CmpCheckValueList.
4226c20f898ddea50aed5ae1e6f543f6545b96a29a2cc2e02158ca52f0cc1996
NtLoadKeyEx takes a flag to open a registry hive read only, if one of the hive files cannot be opened for read access it will revert to write mode and also impersonate the calling process. This can leading to elevation of privilege if a user controlled hive is opened in a system service.
1a8fcebf49504f53a251ec53b447f0516cf99661d4e5a20f9ace8c025cf0207b
The Windows DeviceApi CMApi PiCMOpenClassKey IOCTL allows a normal user to create arbitrary registry keys in the system hive leading to elevation of privilege.
9ed3cfad5f45a4826c3f4edfa4a900d6907941eae3d340562b9af0050fae92ae
The Windows DeviceApi CMApi PnpCtxRegOpenCurrentUserKey function doesn't check the impersonation level of the current effective token allowing a normal user to create arbitrary registry keys in another user's loaded hive leading to elevation of privilege.
2e1231f4bf4a445eede4130d674c86c027caab38c9470a664b4e7bdf8a7fe1ea
NETGATE Registry Cleaner build 16.0.205 suffers from an unquoted service path privilege escalation vulnerability.
5204e6fa173fddb360cca96929d90bdc3ca3fd1e72627ecfb4fbe002b320de24