An elevation of privilege vulnerability exists when Windows kernel does not properly constrain impersonation levels. The vulnerability occurs because a user can place symlinks for the system drives in the per-login session device map and the kernel will follow them during impersonation. An attacker who successfully exploited this vulnerability may, for example, redirect a call to LoadLibrary, from a system service (when impersonating), to an arbitrary location.
FortiClient is prone to a privilege-escalation vulnerability that affects mdare64_48.sys, mdare32_48.sys, mdare32_52.sys, mdare64_52.sys and Fortishield.sys drivers. All these drivers expose an API to manage processes and the windows registry, for instance, the IOCTL 0x2220c8 of the mdareXX_XX.sys driver returns a full privileged handle to a given process PID. In particular, this same function is replicated inside Fortishield.sys. Attackers can leverage this issue to execute arbitrary code with elevated privileges in the context of any selected process. This module uses the previous vulnerability to inject an agent inside lsass.exe process.
An elevation of privilege vulnerability exists when the Win32k.sys kernel-mode driver improperly handles objects in memory. The vulnerability exists in the Windows OS process of creating windows for applications. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. This module exploits the previous vulnerability to deploy an agent that runs with SYSTEM privileges.
This module exploits an "Use After Free" vulnerability in "win32k.sys" by calling to "SetClassLong" function with crafted parameters.
This module exploits a vulnerability in "atmfd.dll" Windows kernel module by loading a crafted OTF font.
This module exploits a vulnerability in "atmfd.dll" Windows kernel module by loading a crafted OTF font.
This module exploits a vulnerability in Symantec Endpoint Client when the 0x002224A4 function is invoked with a specially crafted parameter. The IOCTL 0x00222084 handler in the Sysplant.sys device driver in Symantec Endpoint allows local users to overwrite header in kernel pool and execute arbitrary code to obtain system privileges.
An elevation of privilege vulnerability exists in the Windows kernel-mode driver (Win32k.sys) that is caused when it improperly handles objects in memory. A local unprivileged user who successfully exploited this vulnerability could execute arbitrary code with SYSTEM privileges. This module exploits the previous vulnerability to deploy an agent that runs with SYSTEM privileges.
This module exploits a vulnerability in Linux. The overlayfs filesystem does not correctly check file permissions when creating new files in the upper filesystem directory. This can be exploited by an unprivileged process in kernels with CONFIG_USER_NS=y and where overlayfs has the FS_USERNS_MOUNT flag, which allows the mounting of overlayfs inside unprivileged mount namespaces.
This module exploits a JPEG2000 vulnerability (CVE-2012-0897) in "vprintproxy.exe" through COM1 from the VMware guest operating system to the host operating system.