August 13, 2024—KB5041592 (OS Build 22000.3147)

August 13, 2024—KB5041592 OS Build 22000.3147 07/09/24---END OF SERVICE NOTICE ---IMPORTANT All editions of Windows 11, version 21H2 will reach end of service on October 8, 2024. After that date, these devices will not receive monthly security and non-security updates. These updates contain...

August 13, 2024—KB5041160 (OS Build 20348.2655)

August 13, 2024—KB5041160 OS Build 20348.2655 For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows Server 2022, see its update history page. Note Follow @WindowsUpdate to find out when...

NativeDump - Dump Lsass Using Only Native APIs By Hand-Crafting Minidump Files (Without MinidumpWriteDump!)

NativeDump allows to dump the lsass process using only NTAPIs generating a Minidump file with only the streams needed to be parsed by tools like Mimikatz or Pypykatz SystemInfo, ModuleList and Memory64List Streams. NTOpenProcessToken and NtAdjustPrivilegeToken to get the "SeDebugPrivilege"...

CVE-2023-31096

An issue was discovered in Broadcom LSI PCI-SV92EX Soft Modem Kernel Driver through 2.2.100.1 aka AGRSM64.sys. There is Local Privilege Escalation to SYSTEM via a Stack Overflow in RTLCopyMemory IOCTL 0x1b2150. An attacker can exploit this to elevate privileges from a medium-integrity process to...

Privilege escalation

Privilege escalation vulnerability in the Self-Defense driver of Avast Antivirus prior to 20.8 allows a local user with SYSTEM privileges to gain elevated privileges by "hollowing" process wscproxy.exe which could lead to acquire antimalware AM-PPL protection...

CVE-2021-45337

CVE-2021-45337 describes a local privilege escalation in Avast Antivirus via the Self‑Defense driver. Before version 20.8, a local user with SYSTEM privileges could hollow out the process wsc_proxy.exe to gain elevated privileges, potentially enabling full antimalware (AM‑PPL) protection. Affecte...

TiEtwAgent - PoC Memory Injection Detection Agent Based On ETW, For Offensive And Defensive Research Purposes

This project was created to research, build and test different memory injection detection use cases and bypass techniques. The agent utilizes Microsoft-Windows-Threat-Intelligence event tracing provider, as a more modern and stable alternative to Userland-hooking, with the benefit of Kernel-mode...

The core of Apple is PPL: Breaking the XNU kernel's kernel

Posted by Brandon Azad, Project Zero While doing research for the one-byte exploit technique, I considered several ways it might be possible to bypass Apple's Page Protection Layer PPL using just a physical address mapping primitive, that is, before obtaining kernel read/write or defeating PAC...

CVE-2019-17093

An issue was discovered in Avast antivirus before 19.8 and AVG antivirus before 19.8. A DLL Preloading vulnerability allows an attacker to implant %WINDIR%\system32\wbemcomn.dll, which is loaded into a protected-light process PPL and might bypass some of the self-defense mechanisms. This affects...

Injecting Code into Windows Protected Processes using COM - Part 2

Posted by James Forshaw, Project Zero In my previous blog I discussed a technique which combined numerous issues I’ve previously reported to Microsoft to inject arbitrary code into a PPL-WindowsTCB process. The techniques presented don’t work for exploiting the older, stronger Protected Processes...

Microsoft Windows - 'CiSetFileCache' WDAC Security Feature Bypass TOCTOU

Windows: CiSetFileCache TOCTOU CVE-2017-11830 Variant WDAC Security Feature Bypass Platform: Windows 10 1803, 1709 should include S-Mode but not tested Class: Security Feature Bypass Summary: While the TOCTOU attack against cache signing has been mitigated through NtSetCachedSigningLevel it’s...

Microsoft Windows - CiSetFileCache WDAC Security Feature Bypass TOCTOU

Microsoft Windows - CiSetFileCache WDAC Security Feature Bypass TOCTOU Windows: CiSetFileCache TOCTOU CVE-2017-11830 Variant WDAC Security Feature Bypass Platform: Windows 10 1803, 1709 should include S-Mode but not tested Class: Security Feature Bypass Summary: While the TOCTOU attack against...

Microsoft Windows 10 - CiSetFileCache TOCTOU Security Feature Bypass

Microsoft Windows 10 - CiSetFileCache TOCTOU Security Feature Bypass Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1332 Windows: CiSetFileCache TOCTOU Security Feature Bypass Platform: Windows 10 10586/14393/10S not tested 8.1 Update 2 or Windows 7 Class: Security Feature Bypa...

Microsoft Windows 10 - CiSetFileCache TOCTOU Security Feature Bypass

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1332 Windows: CiSetFileCache TOCTOU Security Feature Bypass Platform: Windows 10 10586/14393/10S not tested 8.1 Update 2 or Windows 7 Class: Security Feature Bypass Summary: It’s possible to add a cached signing level to an unsigne...

Microsoft Windows 10 - CiSetFileCache TOCTOU Security Feature Bypass Vulnerability

Exploit for windows platform in category local exploits Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1332 Windows: CiSetFileCache TOCTOU Security Feature Bypass Platform: Windows 10 10586/14393/10S not tested 8.1 Update 2 or Windows 7 Class: Security Feature Bypass Summary:...

Microsoft Windows PPL Process Injection Privilege Escalation Exploit

Exploit for windows platform in category dos / poc Windows: PPL Process Injection EoP Platform: Windows 10 1703 x64 Class: Elevation of Privilege Summary: It’s possible to inject code into a PPL protected process by hijacking COM objects leading to accessing PPL processes such as Lsa and...

TFM MMPlayer (m3u/ppl File) Buffer Overflow

No description provided by source. This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms of use. http://metasploit.com/framework/ require 'msf/core'...

TFM MMPlayer (m3u/ppl File) Buffer Overflow

Exploit for windows platform in category local exploits This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms of use. http://metasploit.com/framework/...

TFM MMPlayer - '.m3u' / '.ppl' Local Buffer Overflow (Metasploit)

This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms of use. http://metasploit.com/framework/ require 'msf/core' class Metasploit3 'TFM MMPlayer...

TFM MMPlayer (m3u/ppl File) Buffer Overflow

This module exploits a buffer overflow in MMPlayer 2.2 The vulnerability is triggered when opening a malformed M3U/PPL file that contains an overly long string, which results in overwriting a SEH record, thus allowing arbitrary code execution under the context of the user. This module requires...