oh- and works from edge sandbox :)
Show this thread
CVE-2020-16938 - aka bits please! So...recent update changed the permissions on partitions and volume device objects, granting everybody read access. This means that by opening the device directly you can read the raw data without any privs. 7zip parses NTFS so super for POCpic.twitter.com/JXBTmcEIxQ
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
That’s super useful
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
I like how people are trying everything to find any kind of windows vulnerability and you are here like: Yeah just open 7z and double click this for privesc and sandbox escape proof of concept
-
i do the things that are too stupid to try :)
- Show replies
New conversation -
-
-
Jonas this is mindblowing
-
I had to submit it 4 times! Then I did this: https://twitter.com/jonasLyk/status/1303762021742260233 … Went as exspected
- Show replies
New conversation -
-
-
Wow. Any idea what prompted them to change the DACLs? Seems like an extreme oversight.
-
They are finally realising that unprivileged life matters too!
- Show replies
New conversation -
-
-
Oh- and here is how to transform any arb read to EOP. As you can see reading the raw data stream can enable reading the SAM file. Use that to NTLM handshake with task scheduler and make system task execute. There you go
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
If your vulnerability do not allow you to escape to NT namespace- this can be done:pic.twitter.com/dRJLi1BNIQ
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.