An elevation of privilege vulnerability exists when Windows kernel does not properly constrain impersonation levels. The vulnerability occurs because a user can place symlinks for the system drives in the per-login session device map and the kernel will follow them during impersonation. An attacker who successfully exploited this vulnerability may, for example, redirect a call to LoadLibrary, from a system service (when impersonating), to an arbitrary location.
This module exploits when sending specially crafted argument to makeMeasurement leaving objects in an inconsistent state. This produces a leak via a call to dumpMeasureData storing a file to a share folder with importante addresses and can later be retrieved .Finally using NSendApprovalToAuthorEnabled method it is possible to bypass the Javascript API restrictions and resend a new crafted PDF to the browser to produce buffer overflow and complete exploitation. This module runs a malicious web site on the CORE IMPACT Console and waits for an unsuspecting user to trigger the exploit by connecting to the web site.
This module exploit three different vulnerabilities in Symantec Endpoint Protection Manager (SEPM) in order to install an agent on a vunlerable target machine. CVE-2015-1486 allows unauthenticated attackers access to SEPM. CVE-2015-1487 allows reading and writing arbitrary files, resulting in the execution of arbitrary commands with 'NT Service\semsrv' privileges. CVE-2015-1489 allows the execution of arbitrary OS commands with 'NT Authority\SYSTEM' privileges.
Certain Javascript APIs in Adobe Acrobat Pro can only be executed in a privileged context. By adding specially crafted Javascript code to a PDF file it's possible to bypass security restrictions and invoke privileged Javascript APIs, allowing for arbitrary code execution. This exploit takes advantage of the AFParseDate() trusted function, which can call eval() with attacker-controlled input, in order to bypass the security restrictions and ultimately call Collab.uriPutData() to write arbitrary files into the victim's filesystem. The exploit will try to gain code execution on the victim's machine by potentially dropping two files: A DLL named updaternotifications.dll will be written into the same folder where the crafted PDF file is located in the victim's machine. This DLL will be automatically loaded by Adobe Acrobat Pro a few seconds after the crafted PDF file has been opened, as long as the Updater settings of Adobe Acrobat Pro is set to any option different than "Do not download or install updates automatically". An EXE file will be written into the %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup folder, if possible. This executable containing the agent code will be automatically executed upon next user logon into the vulnerable machine. In order for this EXE file to be dropped, the PDF file needs to infer the location of the %USERPROFILE% folder (typically something like C:\Users\JohnDoe) by inspecting the current path of the PDF file. This means that the EXE file will be dropped only if the PDF file is loaded from a path under the %USERPROFILE% folder in the victim's machine, such as the Desktop, the "My Documents" folder, or the "Downloads" folder.
FortiClient is prone to a privilege-escalation vulnerability that affects mdare64_48.sys, mdare32_48.sys, mdare32_52.sys, mdare64_52.sys and Fortishield.sys drivers. All these drivers expose an API to manage processes and the windows registry, for instance, the IOCTL 0x2220c8 of the mdareXX_XX.sys driver returns a full privileged handle to a given process PID. In particular, this same function is replicated inside Fortishield.sys. Attackers can leverage this issue to execute arbitrary code with elevated privileges in the context of any selected process. This module uses the previous vulnerability to inject an agent inside lsass.exe process.
Subscribe to Windows