Tag Archives: Windows

About Elevation of Privilege – Windows Task Scheduler (CVE-2024-49039) vulnerability

Leave a reply

About Elevation of Privilege - Windows Task Scheduler (CVE-2024-49039) vulnerability

About Elevation of Privilege – Windows Task Scheduler (CVE-2024-49039) vulnerability. It was released on November Microsoft Patch Tuesday and showed signs of exploitation in the wild right away. To exploit the vulnerability, an authenticated attacker runs a specially crafted application on the target system. The attack can be performed from an AppContainer restricted environment. Using this vulnerability, an attacker can elevate their privileges to Medium Integrity level and gain the ability to execute RPC functions that are restricted to privileged accounts only.

ESET reports that the vulnerability allowed the RomCom attackers to execute malicious code outside the Firefox sandbox and then launch hidden PowerShell processes to download and run malware from C&C servers.

👾 There is a backdoor code on GitHub that exploits this vulnerability.

На русском

November Microsoft Patch Tuesday

Leave a reply

November Microsoft Patch Tuesday

November Microsoft Patch Tuesday. 125 CVEs, 35 of which were added since October MSPT. 2 vulnerabilities with signs of exploitation in the wild:

🔻 Elevation of Privilege – Windows Task Scheduler (CVE-2024-49039)
🔻 Disclosure/Spoofing – NTLM Hash (CVE-2024-43451)

No signs of exploitation, but with a private PoC of the exploit:

🔸 Remote Code Execution – Microsoft Edge (CVE-2024-43595, CVE-2024-43596)
🔸 Authentication Bypass – Azure Functions (CVE-2024-38204)
🔸 Authentication Bypass – Microsoft Dataverse (CVE-2024-38139)
🔸 Spoofing – Microsoft Exchange (CVE-2024-49040)

Among the rest can be highlighted:

🔹Remote Code Execution – Windows Kerberos (CVE-2024-43639)
🔹Elevation of Privilege – Windows Win32k (CVE-2024-43636)
🔹Elevation of Privilege – Windows DWM Core Library (CVE-2024-43629)
🔹Elevation of Privilege – Windows NT OS Kernel (CVE-2024-43623)

🗒 Full Vulristics report

На русском

October Microsoft Patch Tuesday

Leave a reply

October Microsoft Patch Tuesday

October Microsoft Patch Tuesday. 146 CVEs, of which 28 were added since September MSPT. 2 vulnerabilities with signs of exploitation in the wild:

🔻 Remote Code Execution – Microsoft Management Console (CVE-2024-43572)
🔻 Spoofing – Windows MSHTML Platform (CVE-2024-43573)

Without signs of exploitation in the wild, but with a public PoC exploit:

🔸 Remote Code Execution – Open Source Curl (CVE-2024-6197)

Private exploits exist for:

🔸 Information Disclosure – Microsoft Edge (CVE-2024-38222)
🔸 Security Feature Bypass – Windows Hyper-V (CVE-2024-20659)

Among the rest can be highlighted:

🔹 Remote Code Execution – Remote Desktop Protocol Server (CVE-2024-43582)
🔹 Remote Code Execution – Windows Remote Desktop Client (CVE-2024-43533, CVE-2024-43599)
🔹 Remote Code Execution – Windows Routing and Remote Access Service (RRAS) (CVE-2024-38212 and 11 more CVEs)

🗒 Full Vulristics report

На русском

August episode of “In The Trend of VM”: 5 vulnerabilities in Microsoft Windows and one in WordPress

Leave a reply

August episode of “In The Trend of VM”: 5 vulnerabilities in Microsoft Windows and one in WordPress. We have branched off from Seclab news videos and started releasing separate episodes. Hooray! 🥳😎 If we get enough views, we will continue to release them in the future. It’s up to you, please follow the link to the video platform and click “Like” button and/or leave a comment. 🥺

📹 Video “In The Trend of VM” on YouTube
🗞 A post on Habr (rus) a slightly expanded script of the video
🗒 A compact digest (rus) on the official PT website

List of vulnerabilities:

🔻 00:48 Remote Code Execution – Windows Remote Desktop Licensing Service “MadLicense” (CVE-2024-38077)
🔻 02:22 Security Feature Bypass – Windows Mark of the Web “Copy2Pwn” (CVE-2024-38213)
🔻 03:23 Elevation of Privilege – Windows Ancillary Function Driver for WinSock (CVE-2024-38193), Windows Kernel (CVE-2024-38106), Windows Power Dependency Coordinator (CVE-2024-38107)
🔻 04:50 Unauthenticated Elevation of Privilege – WordPress LiteSpeed Cache Plugin (CVE-2024-28000)

English voice over was generated by my open source utility subtivo (subtitles to voice over)

06:39 Check out the final jingle I generated using AI services 😉 (ToolBaz for lyrics and Suno for music)

На русском

September Microsoft Patch Tuesday

Leave a reply

September Microsoft Patch Tuesday

September Microsoft Patch Tuesday. 107 CVEs, 28 of which were added since August MSPT. 6 vulnerabilities with signs of exploitation in the wild:

🔻 Remote Code Execution – Windows Update (CVE-2024-43491)
🔻 Elevation of Privilege – Windows Installer (CVE-2024-38014)
🔻 Security Feature Bypass – Windows Mark of the Web (CVE-2024-38217), Microsoft Publisher (CVE-2024-38226), Chromium (CVE-2024-7965)
🔻 Memory Corruption – Chromium (CVE-2024-7971)

3 more with private exploits:

🔸 Authentication Bypass – Azure (CVE-2024-38175)
🔸 Security Feature Bypass – Windows Mark of the Web (CVE-2024-43487)
🔸 Elevation of Privilege – Windows Storage (CVE-2024-38248)

Other interesting vulnerabilities:

🔹 Remote Code Execution – Microsoft SQL Server (CVE-2024-37335 and 5 more CVEs)
🔹 Remote Code Execution – Windows NAT (CVE-2024-38119)
🔹 Elevation of Privilege – Windows Win32k (CVE-2024-38246, CVE-2024-38252, CVE-2024-38253)

🗒 Full Vulristics report

На русском

I found that the research data for Remote Code Execution – Windows Remote Desktop Licensing Service “MadLicense” (CVE-2024-38077), which I wrote about 3 weeks ago, was deleted

Leave a reply

I found that the research data for Remote Code Execution - Windows Remote Desktop Licensing Service MadLicense (CVE-2024-38077), which I wrote about 3 weeks ago, was deleted

I found that the research data for Remote Code Execution – Windows Remote Desktop Licensing Service “MadLicense” (CVE-2024-38077), which I wrote about 3 weeks ago, was deleted. Both on GitHub and on Google Sites.

And what does this all mean? 🤔 Who knows. 🤷‍♂️ Considering that it disappeared on two platforms at once, it was probably deleted by the Chinese researchers themselves. Why did they do this? Perhaps they established a dialogue with Microsoft and MS asked them to remove everything from the public (which, of course, is stupid – the Internet remembers everything). Perhaps someone else asked them to do this. 🫡 Another reason to pay attention to this vulnerability.

На русском

About Elevation of Privilege – Windows Ancillary Function Driver for WinSock (CVE-2024-38193) and other Windows EoP vulnerabilities from August Patch Tuesday

Leave a reply

About Elevation of Privilege - Windows Ancillary Function Driver for WinSock (CVE-2024-38193) and other Windows EoP vulnerabilities from August Patch Tuesday

About Elevation of Privilege – Windows Ancillary Function Driver for WinSock (CVE-2024-38193) and other Windows EoP vulnerabilities from August Patch Tuesday. In total, in the August MSPT there were 3 EoPs with signs of exploitation in the wild. They have identical descriptions: an attacker can elevate privileges on the host to SYSTEM level. The vulnerability in Windows Kernel is more difficult to exploit, because it is necessary to win a race condition.

We only know the names of the attackers who exploited the EoP vulnerability in the Windows Ancillary Functions Driver (AFD.sys). It is exploited by the well-known group Lazarus. This was reported in a press release from Gen Digital, the company that owns Avira and Avast antiviruses. To neutralize information security products during an attack, Lazarus attackers use the Fudmodule rootkit. So, even if EDR is installed on the host, the host should be updated. 😏

На русском