This module triggers a memory corruption vulnerability in the Event Log Service by sending a malformed packet. It can be used by a remote attacker to stop recording events of important software so will left no traces. For example, if an attacker installs an agent on a domain-joined workstation. He can remotely stop the domain controller's Event Log service.
Wordpress POST SMPT Plugin is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to the mailer and view logs, including password reset emails, allowing site takeover.
This exploit leverages an Information Disclosure vulnerability in Microsoft WordPad. The vulnerability is associated with legacy functionality to convert an OLE 1 storage object (OLESTREAM) to the new IStorage format. By crafting a file with a malicious OLE 1 LinkedObject, an attacker can coerce authentication to an untrusted server and steal NTLM hashes. This exploit does not install an agent, it manages to obtain the NTML hash of a legitimate user.
The Ancillary Function Driver (AFD.sys) present in Microsoft Windows is vulnerable to a double-fetch that causes an integer overflow, which can result in out-of-bounds memory write to non-paged pool memory. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges by calling to the WSASendMsg function with crafted parameters.
An attacker who successfully exploited the vulnerability could elevate the integrity level from medium to high with Administrator privileges in two stages. First Stage: The first stage bug is a DLL Hijacking caused by the Drive Remapping of ROOT drive, allowing a MEDIUM INTEGRITY process to be elevated to limited HIGH PRIVILEGES, but without reach the complete privileges to be full Administrator. if the user belongs to the Local Administrators Group, it continues copying the necessary files to perform the exploitation, MsCtfMonitor.dll to the same folder when the agent runs, TAPI32.Manifest and imm32.dll containing the Impact agent to be deployed, are copied to system32\Tasks too. After that, It executes in memory the file sploit.obj that is the executable BOF to perform the first stage, which remaps the ROOT Drive using the NtCreateSymbolicLinkObject function, with that some Services are affected and will attempt to load libraries from the new fake user-controlled system32, in our case CTFMON tries to load the crafted MsCtfMonitor.dll from our fake controlled system32 folder, created by the BOF after remap, next, its DoMsCtfMonitor function is called and executes our code with HIGH INTEGRITY LEVEL with non Administrator privileges. Second Stage: MsCtfMonitor.dll, has the code to perform the Second Stage, it performs Activation Cache Poisoning registering the crafted TAPI32.Manifest placed in system32\Tasks for TAPI32.dll, After that executing tcmsetup.exe it loads tapi32.dll, and the fake manifest added to the Activation Cache loads the imm32.dll with the second phase Impact Agent to elevate to HIGH with full Administrator privileges. Additionally, a module to elevate from Administrator to System can be run as a post-exploitation module (disabled by default in Options).
Subscribe to Windows