You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
Ok- for exploitability we need a combination of factors: 1 A privileged process do a write/delete/setacl/create operation 2 On a path that we can redirect by making some element in it a junction folder 3 As we dont have delete permissions we need the folder to transform empty
If we find those factors we can redirect a create to a system path. That dont really help us much though- ACL get set on creation so we would end up with the redirected file/folder having default ACL for the folder we redirected to..... Lets get more info:pic.twitter.com/FxSW3GJ7XY
Hmm- lets extract all strings from all files in the driver package:pic.twitter.com/nMoJTwtEWP
Allright, its a standard exe, not a service- if there is not a - in the arguments passed to it on run it will load the file... but what runs that exe then?pic.twitter.com/4OmWqEJDe4
Exe referenced in inf for copy and .cat for signature and then AsusSoftwareManager.exe Again a normal exe file, but it references schedulemanager? Lets have a look if there is something going in tasks maybe....pic.twitter.com/GFrkXbYgGS
Allright, this runs the asushotkeyexec.exe as system ..... But is passed a - as argument, close but no cigar!pic.twitter.com/gMHw7iWEb0
wait- what am I talking about, it was not asushotkeyexec i looked at before, i havent looked at that yet, lets have a look :D
it is windows audio- so chances of it just being random are quite high :D havent seen that crash before though
Hmm- nothing interesting happening with that argument, though the event can trigger god knows what....pic.twitter.com/7et3TZqvWe
Allright, there is plenty privileged attack surface it can trigger... The two processes running as I assume current logged in user(one elevated) are started by the manager service.pic.twitter.com/e76LF2DErY
Add highlight for impersonation! I ran the hotkey task while recording lots of stuff going on, but nothing that screams easily exploitable.... much is very likely exploitable- but i am searching for the lovest hanging fruitpic.twitter.com/nhgEaC9NXL
WTF is it trying to open there? pc....assistant? I dont need no fucking assistance! Oh fuck there is also an uwp app installed- that is just fantasticpic.twitter.com/ZQWSC1V3Fl
HAH! they included idl for their liveupdate RPC https://pastebin.com/raw/Q2pfn9xp
okay its a massive shit show with weibo facebook google auth etc. that enable access to tracking apis claiming you get gifts or something- at least there is also test logins and test urls embeddedpic.twitter.com/mPMnTguygH
I enable the device portal- that is only way i know to run an metro app without having a appx reparse pointpic.twitter.com/6RE3ELln4t
hmmm- i have uninstalled it as my user but it lives on for system and cannot be removed or executed as an user...wtfpic.twitter.com/sjsQ3vuGsn
This is not stupid actually...this way the app have full access out if the uwp sandbox - but there is no gui option to remove it.... fuck you asus- i will document how to do itpic.twitter.com/PMqZ3lZiBv
And the files get kernel protection so not even a driver or any kind of privelegie or user group can tamper with the files....pic.twitter.com/O5QrMTSyJF
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
