VoidSec (34)
Last Login: June 15, 2023
VoidSec's Latest (9) Contributions
Technical Analysis
Crucial by Micron Technology, Inc Ballistix MOD Utility v.<= 2.0.2.5 is vulnerable to multiple Privilege Escalation (LPE/EoP) vulnerabilities in the MODAPI.sys
driver component.
All the vulnerabilities are triggered by sending specific IOCTL requests and will allow to:
- Directly interact with physical memory via the
MmMapIoSpace
function call, mapping physical memory into a virtual address user-space.
- Read/write Model-Specific Registers (MSRs) via the
__readmsr/__writemsr
functions calls.
- Read/write 1/2/4 bytes to or from an IO port.
Attackers could exploit these issues to achieve local privilege escalation from low-privileged users to NT AUTHORITY\SYSTEM
.
A complete analysis could be found at: https://voidsec.com/crucial-mod-utility-lpe-cve-2021-41285/
Technical Analysis
A complete root cause analysis could be found at: https://voidsec.com/fuzzing-faststone-image-viewer-cve-2021-26236/
Technical Analysis
IBM Tivoli Storage Manager – ITSM Administrator Client Command Line Administrative Interface (dsmadmc.exe) Version 5, Release 2, Level 0.1, is vulnerable to a stack-based buffer overflow in the ‘id’ parameter.
A complete root cause analysis could be found at: https://voidsec.com/tivoli-madness/#IBM_Tivoli_Storage_Manager
Technical Analysis
A complete Root Cause Analysis could be found at https://voidsec.com/tivoli-madness
Technical Analysis
Here you can read the entire analysis: https://voidsec.com/root-cause-analysis-of-cve-2021-3438/
The vulnerable function sub_15070
copies bytes from the user’s input buffer via the strncpy
function call with an arbitrary size parameter (controlled by the user), causing a buffer overflow. The buffer, initialized with all zeroes in the .data
segment, is the only reference in all of the section and it is only used in the highlighted strncpy
operation; there are no pointers nor interesting structures written inside the segement that we can corrupt to redirect the execution flow.
I can confidently say that this vulnerability can, at best, be used to perform a local Denial of Service (DoS) crashing the entire OS.
I think a more appropriate CVSS score is 6.5, rather than the arbitrary 8.8/10 score given to the original CVE.
Thx to @wvu-r7 for the peer review.
Hi @ccondon-r7 I have one clients that were further compromised using this vulnerability (attackers already had a foothold into his network and used this vulnerability to gain Domain Admin and push a ransomware). As I’m not part of the IR team I’m still waiting for them to gather more details on the attack.
Technical Analysis
Unauthenticated attacker, able to directly connect to a Domain Controller over NRPC will be able to reset the Domain Controller’s account password to an empty string, thus enabling the attackers to further escalate their privileges to Domain Admin.
The exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password.
Target computer will then not be able to authenticate to the domain anymore, and it can only be re-synchronized through manual action.
In test lab a successful attack broke the following functionalities when targeting a Domain Controller: DNS functionality and/or communication with replication Domain Controllers.
Checker and Exploit code
Original research and white-paper: [Secura – Tom Tervoort](https://www.secura.com/blog/zero-logon](https://www.secura.com/blog/zero-logon)
Technical Analysis
CVE-2020-1337 is a bypass of (PrintDemon) CVE-2020-1048’s patch via a Junction Directory, made to remediate an Elevation of Privileges (EoP)\Local Privilege Escalation (LPE) vulnerability affecting the Windows’ Print Spooler Service. The vulnerability does require low privilege access and for the spooler service to restart.
The patch appeared in Microsoft’s patch Tuesday (11th August 2020) – https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1337#ID0EWIAC.
Vulnerability description, root cause analysis and PoC code on https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/
arevulnerable too