Tag Archives: Microsoft

A few details about Elevation of Privilege – Windows Installer (CVE-2024-38014)

Leave a reply

A few details about Elevation of Privilege - Windows Installer (CVE-2024-38014)

A few details about Elevation of Privilege – Windows Installer (CVE-2024-38014). So that you don’t get the impression that this vulnerability can be exploited absolutely universally.

🔹 The attacker needs access to the Windows GUI. Naturally, the console window needs to be seen and “caught”. Just with the mouse. The task can be simplified by the SetOpLock utility, which does not allow the window to close.

🔹 The attacker needs a web browser installed on the host. Moreover, the current Edge or IE will not work, Firefox or Chrome is needed. And the browser should not be running before the attack. And Edge or IE should not be set as the default browser.

🔹 This will not work for every MSI file. SEC Consult has released a utility called msiscan to detect MSI files that can be used to exploit this and similar vulnerabilities.

На русском

About Elevation of Privilege – Windows Installer (CVE-2024-38014) vulnerability

Leave a reply

About Elevation of Privilege - Windows Installer (CVE-2024-38014) vulnerability

About Elevation of Privilege – Windows Installer (CVE-2024-38014) vulnerability. The vulnerability was fixed on September 11 as part of the September Microsoft Patch Tuesday. It was discovered by Michael Baer from SEC Consult. On September 12, a post was published in their blog with exploitation details.

MSI files are the standard way to install, repair, and uninstall programs in Windows. Installation requires high privileges. But the repair function can be launched by a low-privileged user. At the same time, the function itself might be executed in the context of NT AUTHORITY\SYSTEM. 🤔

The attacker launches the MSI file of an installed application, selects repair mode, and interacts with the console window launched with SYSTEM privileges. After a few steps, attacker gets an interactive SYSTEM console.

The Microsoft fix activates a UAC prompt when the MSI installer performs an action with elevated privileges, i.e. before the console window appears.

На русском

August episode of “In The Trend of VM”: 5 vulnerabilities in Microsoft Windows and one in WordPress

Leave a reply

August episode of “In The Trend of VM”: 5 vulnerabilities in Microsoft Windows and one in WordPress. We have branched off from Seclab news videos and started releasing separate episodes. Hooray! 🥳😎 If we get enough views, we will continue to release them in the future. It’s up to you, please follow the link to the video platform and click “Like” button and/or leave a comment. 🥺

📹 Video “In The Trend of VM” on YouTube
🗞 A post on Habr (rus) a slightly expanded script of the video
🗒 A compact digest (rus) on the official PT website

List of vulnerabilities:

🔻 00:48 Remote Code Execution – Windows Remote Desktop Licensing Service “MadLicense” (CVE-2024-38077)
🔻 02:22 Security Feature Bypass – Windows Mark of the Web “Copy2Pwn” (CVE-2024-38213)
🔻 03:23 Elevation of Privilege – Windows Ancillary Function Driver for WinSock (CVE-2024-38193), Windows Kernel (CVE-2024-38106), Windows Power Dependency Coordinator (CVE-2024-38107)
🔻 04:50 Unauthenticated Elevation of Privilege – WordPress LiteSpeed Cache Plugin (CVE-2024-28000)

English voice over was generated by my open source utility subtivo (subtitles to voice over)

06:39 Check out the final jingle I generated using AI services 😉 (ToolBaz for lyrics and Suno for music)

На русском

The severity of the Spoofing – Windows MSHTML Platform vulnerability (CVE-2024-43461) has increased

Leave a reply

The severity of the Spoofing - Windows MSHTML Platform vulnerability (CVE-2024-43461) has increased

The severity of the Spoofing – Windows MSHTML Platform vulnerability (CVE-2024-43461) has increased. The vulnerability was fixed in September Microsoft Patch Tuesday. At the time of publication, Microsoft had not yet flagged this vulnerability as being exploited in the wild. They did this only 3 days later, on September 13.

ZDI Threat Hunting team researcher Peter Girnus discovered the vulnerability while investigating the Void Banshee APT attack. The vulnerability was exploited in the same attack chain as the trending Spoofing – Windows MSHTML Platform (CVE-2024-38112) vulnerability, patched in July.

Using this vulnerability, the attackers hid the extension of the malicious HTA file being opened by adding 26 Braille space characters to its name. Thus, victims may think that they are opening a harmless PDF document.

Installing the security update does not remove spaces in the file name, but Windows now shows the actual file extension. 👍

На русском

September Microsoft Patch Tuesday

Leave a reply

September Microsoft Patch Tuesday

September Microsoft Patch Tuesday. 107 CVEs, 28 of which were added since August MSPT. 6 vulnerabilities with signs of exploitation in the wild:

🔻 Remote Code Execution – Windows Update (CVE-2024-43491)
🔻 Elevation of Privilege – Windows Installer (CVE-2024-38014)
🔻 Security Feature Bypass – Windows Mark of the Web (CVE-2024-38217), Microsoft Publisher (CVE-2024-38226), Chromium (CVE-2024-7965)
🔻 Memory Corruption – Chromium (CVE-2024-7971)

3 more with private exploits:

🔸 Authentication Bypass – Azure (CVE-2024-38175)
🔸 Security Feature Bypass – Windows Mark of the Web (CVE-2024-43487)
🔸 Elevation of Privilege – Windows Storage (CVE-2024-38248)

Other interesting vulnerabilities:

🔹 Remote Code Execution – Microsoft SQL Server (CVE-2024-37335 and 5 more CVEs)
🔹 Remote Code Execution – Windows NAT (CVE-2024-38119)
🔹 Elevation of Privilege – Windows Win32k (CVE-2024-38246, CVE-2024-38252, CVE-2024-38253)

🗒 Full Vulristics report

На русском

I found that the research data for Remote Code Execution – Windows Remote Desktop Licensing Service “MadLicense” (CVE-2024-38077), which I wrote about 3 weeks ago, was deleted

Leave a reply

I found that the research data for Remote Code Execution - Windows Remote Desktop Licensing Service MadLicense (CVE-2024-38077), which I wrote about 3 weeks ago, was deleted

I found that the research data for Remote Code Execution – Windows Remote Desktop Licensing Service “MadLicense” (CVE-2024-38077), which I wrote about 3 weeks ago, was deleted. Both on GitHub and on Google Sites.

And what does this all mean? 🤔 Who knows. 🤷‍♂️ Considering that it disappeared on two platforms at once, it was probably deleted by the Chinese researchers themselves. Why did they do this? Perhaps they established a dialogue with Microsoft and MS asked them to remove everything from the public (which, of course, is stupid – the Internet remembers everything). Perhaps someone else asked them to do this. 🫡 Another reason to pay attention to this vulnerability.

На русском

About Elevation of Privilege – Windows Ancillary Function Driver for WinSock (CVE-2024-38193) and other Windows EoP vulnerabilities from August Patch Tuesday

Leave a reply

About Elevation of Privilege - Windows Ancillary Function Driver for WinSock (CVE-2024-38193) and other Windows EoP vulnerabilities from August Patch Tuesday

About Elevation of Privilege – Windows Ancillary Function Driver for WinSock (CVE-2024-38193) and other Windows EoP vulnerabilities from August Patch Tuesday. In total, in the August MSPT there were 3 EoPs with signs of exploitation in the wild. They have identical descriptions: an attacker can elevate privileges on the host to SYSTEM level. The vulnerability in Windows Kernel is more difficult to exploit, because it is necessary to win a race condition.

We only know the names of the attackers who exploited the EoP vulnerability in the Windows Ancillary Functions Driver (AFD.sys). It is exploited by the well-known group Lazarus. This was reported in a press release from Gen Digital, the company that owns Avira and Avast antiviruses. To neutralize information security products during an attack, Lazarus attackers use the Fudmodule rootkit. So, even if EDR is installed on the host, the host should be updated. 😏

На русском