This vulnerability allows local attackers to execute arbitrary code on affected installations of Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the n_gsm driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the kernel.
The Windows Client Side Caching Driver (csc.sys) present in Microsoft Windows is vulnerable to a memory corruption vulnerability. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges by creating a specially crafted IOCTL request. The steps performed by the binary exploit are: Null Pointer write to arbitrary kernel R/W through a CscDevFcbXXXControlFile routine which is called by RDBSS to pass a device FCB control request to the network mini-redirector not validating the input buffer in IOCTL 0x001401a3 Overwrite the thread's PreviousMode through the NULL pointer and get an arbitrary read/write memory primitive via NtWriteVirtualMemory/NtReadVirtualMemory SYSTEM token stealing Agent deployment through process injection on the LSASS.exe process
The Ancillary Function Driver (AFD.sys) present in Microsoft Windows is vulnerable to a double-fetch that causes an integer overflow, which can result in out-of-bounds memory write to non-paged pool memory. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges by calling to the WSASendMsg function with crafted parameters.
An attacker who successfully exploited the vulnerability could elevate the integrity level from medium to high with Administrator privileges in two stages. First Stage: The first stage bug is a DLL Hijacking caused by the Drive Remapping of ROOT drive, allowing a MEDIUM INTEGRITY process to be elevated to limited HIGH PRIVILEGES, but without reach the complete privileges to be full Administrator. if the user belongs to the Local Administrators Group, it continues copying the necessary files to perform the exploitation, MsCtfMonitor.dll to the same folder when the agent runs, TAPI32.Manifest and imm32.dll containing the Impact agent to be deployed, are copied to system32\Tasks too. After that, It executes in memory the file sploit.obj that is the executable BOF to perform the first stage, which remaps the ROOT Drive using the NtCreateSymbolicLinkObject function, with that some Services are affected and will attempt to load libraries from the new fake user-controlled system32, in our case CTFMON tries to load the crafted MsCtfMonitor.dll from our fake controlled system32 folder, created by the BOF after remap, next, its DoMsCtfMonitor function is called and executes our code with HIGH INTEGRITY LEVEL with non Administrator privileges. Second Stage: MsCtfMonitor.dll, has the code to perform the Second Stage, it performs Activation Cache Poisoning registering the crafted TAPI32.Manifest placed in system32\Tasks for TAPI32.dll, After that executing tcmsetup.exe it loads tapi32.dll, and the fake manifest added to the Activation Cache loads the imm32.dll with the second phase Impact Agent to elevate to HIGH with full Administrator privileges. Additionally, a module to elevate from Administrator to System can be run as a post-exploitation module (disabled by default in Options).
A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.
Subscribe to Privilege Escalation