VoidSec (34)

Crucial by Micron Technology, Inc Ballistix MOD Utility v.<= 2.0.2.5 is vulnerable to multiple Privilege Escalation (LPE/EoP) vulnerabilities in the MODAPI.sys driver component.

All the vulnerabilities are triggered by sending specific IOCTL requests and will allow to:

• Directly interact with physical memory via the MmMapIoSpace function call, mapping physical memory into a virtual address user-space.
  
• Read/write Model-Specific Registers (MSRs) via the __readmsr/__writemsr functions calls.
  
• Read/write 1/2/4 bytes to or from an IO port.
  

Attackers could exploit these issues to achieve local privilege escalation from low-privileged users to NT AUTHORITY\SYSTEM.
A complete analysis could be found at: https://voidsec.com/crucial-mod-utility-lpe-cve-2021-41285/

A complete root cause analysis could be found at: https://voidsec.com/fuzzing-faststone-image-viewer-cve-2021-26236/

IBM Tivoli Storage Manager – ITSM Administrator Client Command Line Administrative Interface (dsmadmc.exe) Version 5, Release 2, Level 0.1, is vulnerable to a stack-based buffer overflow in the ‘id’ parameter.
A complete root cause analysis could be found at: https://voidsec.com/tivoli-madness/#IBM_Tivoli_Storage_Manager

A complete Root Cause Analysis could be found at https://voidsec.com/tivoli-madness

Here you can read the entire analysis: https://voidsec.com/root-cause-analysis-of-cve-2021-3438/
The vulnerable function sub_15070 copies bytes from the user’s input buffer via the strncpy function call with an arbitrary size parameter (controlled by the user), causing a buffer overflow. The buffer, initialized with all zeroes in the .data segment, is the only reference in all of the section and it is only used in the highlighted strncpy operation; there are no pointers nor interesting structures written inside the segement that we can corrupt to redirect the execution flow.
I can confidently say that this vulnerability can, at best, be used to perform a local Denial of Service (DoS) crashing the entire OS.
I think a more appropriate CVSS score is 6.5, rather than the arbitrary 8.8/10 score given to the original CVE.

Thx to @wvu-r7 for the peer review.

Unauthenticated attacker, able to directly connect to a Domain Controller over NRPC will be able to reset the Domain Controller’s account password to an empty string, thus enabling the attackers to further escalate their privileges to Domain Admin.

The exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password.
Target computer will then not be able to authenticate to the domain anymore, and it can only be re-synchronized through manual action.
In test lab a successful attack broke the following functionalities when targeting a Domain Controller: DNS functionality and/or communication with replication Domain Controllers.

Checker and Exploit code
Original research and white-paper: [Secura – Tom Tervoort](https://www.secura.com/blog/zero-logon](https://www.secura.com/blog/zero-logon)

CVE-2020-1337 is a bypass of (PrintDemon) CVE-2020-1048’s patch via a Junction Directory, made to remediate an Elevation of Privileges (EoP)\Local Privilege Escalation (LPE) vulnerability affecting the Windows’ Print Spooler Service. The vulnerability does require low privilege access and for the spooler service to restart.
The patch appeared in Microsoft’s patch Tuesday (11th August 2020) – https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1337#ID0EWIAC.

Vulnerability description, root cause analysis and PoC code on https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/