This is a (bit long) introduction on how to abuse file operations performed by privileged processes on Windows for local privilege escalation (user to admin/system), and a presentation of available techniques, tools and procedures to exploit these types of bugs.
A privileged file copy performed by SAFE when an infected file is detected can be abused to overwrite an arbitrary file. This can be used by an unprivileged user to obtain SYSTEM privileges on the local machine.
The permissive access rights on logs and quarantine (files / folders and configuration), and the privileged file manipulation performed by McAfee Endpoint Security on these files can be abused to create or delete arbitrary files, or to create arbitrary registry keys. This can be used by an unprivileged user to obtain SYSTEM privileges on the local machine.
The permissive access rights on log folder, files and shared memory section, as set by the Pulse Secure client’s logging service, can be abused to create arbitrary files with write access. This can be used by an unprivileged user to obtain SYSTEM privileges on the local machine.
🎵 I'm dreaming of a pwned Christmaaaaas 🎵 As usual, here's my
write-up for the 2018 SANS Christmas Challenge.
'Tis the season to be pwning, falalalala lalalala. Each year, the
SANS team publishes a Christmas Challenge against which anyone can
test their skills. This year was no exception, and here's our
write-up for the 2017 SANS Christmas Challenge.
.NET Framework can be made to load a profiling DLL or a COM component DLL via user-defined environment variables and CLSID registry entries, even when the process is elevated. This behavior can be exploited to bypass UAC in default settings on Windows 7 to 10 (including the latest RS3 builds) by making an auto-elevate .NET process (such as MMC snap-ins) load an arbitrary DLL.