Articles by @clavoillotte

Windows Installer arbitrary content manipulation Elevation of Privilege (CVE-2020-0911)

Published on Thu 06 July 2023 by @clavoillotte

The Windows Installer accesses the MSI files in C:\Windows\Installer while impersonating the user (and using the impersonated user's device map), and trusts these files to perform elevated/privileged operations such as registry key creation. This can be abused by an unprivileged user to obtain SYSTEM privileges.

 

Windows Error Reporting Manager arbitrary file move Elevation of Privilege (CVE-2019-1315)

Published on Tue 08 October 2019 by @clavoillotte

The privileged file operations performed by the Windows Error Reporting service on user-writable files can be abused to rename/move arbitrary files with SYSTEM privileges. This can be used by an unprivileged user to obtain SYSTEM privileges.

 

Osquery for Windows access right misconfiguration Elevation of Privilege (CVE-2019-3567)

Published on Tue 04 June 2019 by @clavoillotte

An access right misconfiguration in Osquery for Windows can be abused to load run arbitrary programs or load arbitrary DLLs. This can be used by an unprivileged user to obtain SYSTEM privileges on the local machine.

 

An introduction to privileged file operation abuse on Windows

Published on Wed 20 March 2019 by @clavoillotte

This is a (bit long) introduction on how to abuse file operations performed by privileged processes on Windows for local privilege escalation (user to admin/system), and a presentation of available techniques, tools and procedures to exploit these types of bugs.

 

F-Secure SAFE arbitrary file copy Elevation of Privilege

Published on Wed 20 March 2019 by @clavoillotte

A privileged file copy performed by SAFE when an infected file is detected can be abused to overwrite an arbitrary file. This can be used by an unprivileged user to obtain SYSTEM privileges on the local machine.

 

McAfee Endpoint Security arbitrary file write Elevation of Privilege (CVE-2019-3582)

Published on Wed 20 March 2019 by @clavoillotte

The permissive access rights on logs and quarantine (files / folders and configuration), and the privileged file manipulation performed by McAfee Endpoint Security on these files can be abused to create or delete arbitrary files, or to create arbitrary registry keys. This can be used by an unprivileged user to obtain SYSTEM privileges on the local machine.

 

Pulse Secure client arbitrary file write Elevation of Privilege (CVE-2018-11002)

Published on Wed 20 March 2019 by @clavoillotte

The permissive access rights on log folder, files and shared memory section, as set by the Pulse Secure client’s logging service, can be abused to create arbitrary files with write access. This can be used by an unprivileged user to obtain SYSTEM privileges on the local machine.

 

UAC bypass via elevated .NET applications

Published on Fri 15 September 2017 by @clavoillotte

.NET Framework can be made to load a profiling DLL or a COM component DLL via user-defined environment variables and CLSID registry entries, even when the process is elevated. This behavior can be exploited to bypass UAC in default settings on Windows 7 to 10 (including the latest RS3 builds) by making an auto-elevate .NET process (such as MMC snap-ins) load an arbitrary DLL.