Felix aka [xi-tauw]

@BHinfoSecurity Didn't you forget 6 somewhere in Rs?

R8: 1 2 R9: 2 1 2 4 1 3 2 R10: 3 3 3 1 1 1 R11: 1 3 2 1 1 1 1 2 R12: 1 3 5 1 3 R13: 3 1 2 1 5 1 2 R14: 1 1 1 1 1 1 1 2 2 1 R15: 2 7 1 4 1 1 R16: 1 1 1 3 1 1 1 R17: 2 1 1 1 8 R18: 1 1 1 1 1 2 1 R19: 7 5 2 1 2 2 R20: 1 1 1 1 1 1 5 R21: 1 3 1 1 6 1 R22: 1 3 1 1 2 1 1 4

@hFireF0X UACME method 20. Probably wasn't fixed properly.

UAC bypass: Copy payload dll (IFileOperation) as C:\Windows\System32\wbem\wbemcomn.dll then run diskmgmt.msc Essence: diskmgmt invokes start of vds service (NT AUTHORITY\SYSTEM), that loads the dll. Also the dll could be used for persistence (via WmiPrvSE.exe), but I'm not sure.

@404death @hFireF0X Must be in Administrators group. This is not privesc, only bypass UAC.

@PsiDragon @hFireF0X hmm, but, how can we copy the dll file to C:\Windows\System32\wbem\ without having administrator privileged ?

@0xTback Yep. This is not privesc, only bypass UAC.

@PsiDragon C:\Windows\System32\wbem\ have to need the Administrators ?

GOG Galaxy. I almost forgot about this research by now (it was year ago), but the recent news about Cyberpunk 2077 reminded me that I haven’t publicly shared my research. Rus - habr.com/ru/company/pm/… Eng - amonitoring.ru/article/gog/

Little writeup for EOP for Dr.Web Security Space 12. Rus - habr.com/ru/company/pm/… Eng - amonitoring.ru/article/drweb/

Writeup for EOP for ABBYY FineReader (CVE-2019-20383). Rus - habr.com/ru/company/pm/… Eng - amonitoring.ru/article/abbyy-…

@taviso I converted this into UAC bypass some time ago. amonitoring.ru/article/uac_by…

Interesting question, is this a UAC bypass? My first thought is no, because UIPI means you can't automate the interaction. Therefore, the only way to exploit it is if you could have just clicked OK in the UAC consent anyway.... right? (yes, I know UAC is not a supported boundary)

@decoder_it Already done =)

@PsiDragon i leave it up to you ;-)

From dropbox(updater) to NT AUTHORITY\SYSTEM decoder.cloud/2019/12/18/fro…

@davidvalles007 Thanks. There were just winapi functions. From PoC:

@PsiDragon Nicely written post. For CVE-2019-19247, how were you sending commands to the named pipe? Is there a native command or script/tool to do interaction with a named pipe?

Writeup for EOP for Windows Origin client. (CVE-2019-19247 и CVE-2019-19248) Rus - habr.com/ru/company/pm/… Eng - amonitoring.ru/article/origin…

cc @enigma0x3, @tiraniddo I bet you like CVE-2019-19247

@0gtweet @424f424f WO

Persistency tip: if you have admin rights for a moment, just add “WD” or “DC” to SDDL of any of Windows Services. It will allow you to elevate your privileges back any moment you need. Good luck finding this, Blue Team...

Today is going well.

Writeup for third Steam vulnerability. #PublicDisclosure but not #0day this time, already patched. Rus - habr.com/ru/company/pm/… Eng - amonitoring.ru/article/steam_…

store.steampowered.com/news/54236/ Third reported vulnerability has been fixed in main client. Hurray.

@y3gou666 I created backup while researching.

@PsiDragon so how to download old version steam for recurrencing the vulnerability?☹️

Unbanned on h1. So try do new report there.