"this bug is likely not exploitable and priv esc on a VM is kind of dumb" :) <- A good writeup but what do you mean, why is priv esc on a VM not a legit concern?
https://sandboxescaper.blogspot.com/2019/12/chasing-polar-bears-part-one.html … Here is part one. Pretty sure the attack surface described has many more bugs (not just the vmware tools installer.. I doubt this bug is exploitable in the first place, just wanted something to demo that is unpatched, easier for folks to learn!)
-
-
-
Its like escaping a jail into an even worse jail! I don't know, I guess it could be useful to hide your malware on a VM!
- Još 7 drugih odgovora
Novi razgovor -
-
-
awesome post, out of curiosity have you thought of using subscribing to SHChangeNotify or something similar to monitor for when the files get created/deleted?
-
Procmon works very well for me. If I were to write my own tooling, I would write something similar to process monitor, atleast visually, that allows you to hook arbitrary functions (ones that are used for resource access) to find race conditions elsewhere, not just filesystem
- Još 4 druga odgovora
Novi razgovor -
-
-
Note that you can click on the images to make them larger.
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
If something doesn't make sense, let me know. I've been horribly ill the past week and it was hard to focus.
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
You can build your own MSI package and also make it installable by “standard users” (look MsiInfo.exe with -w 10 option https://docs.microsoft.com/en-us/windows/win32/msi/msiinfo-exe …) Besides your custom MSI package will install file/files in the dir that you have configured... so YES, this bug is exploitable!
-
When trying to repair a package like that with the /fa flag, will it do so at higher privs without impersonation? I thought this wasn't the case for packages like this.. but I can't remember if this is just me making assumptions in my head or based on actual testing lol.
Kraj razgovora
Novi razgovor -
-
-
Excellent write-up Ess!! Bloop!!
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Welcome back!
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.