Okay... just default inherited ACL, if it was not it would mean there even was a setsecurity to redirect.....pic.twitter.com/ZPwvqYQ2k7
Show this thread
-
Allright, its a standard exe, not a service- if there is not a - in the arguments passed to it on run it will load the file... but what runs that exe then?pic.twitter.com/4OmWqEJDe4
Show this thread
Exe referenced in inf for copy and .cat for signature and then AsusSoftwareManager.exe Again a normal exe file, but it references schedulemanager? Lets have a look if there is something going in tasks maybe....pic.twitter.com/GFrkXbYgGS
-
-
-
Allright, this runs the asushotkeyexec.exe as system ..... But is passed a - as argument, close but no cigar!pic.twitter.com/gMHw7iWEb0
Show this thread -
wait- what am I talking about, it was not asushotkeyexec i looked at before, i havent looked at that yet, lets have a look :D
Show this thread -
-
it is windows audio- so chances of it just being random are quite high :D havent seen that crash before though
Show this thread -
Hmm- nothing interesting happening with that argument, though the event can trigger god knows what....pic.twitter.com/7et3TZqvWe
Show this thread -
Allright, there is plenty privileged attack surface it can trigger... The two processes running as I assume current logged in user(one elevated) are started by the manager service.pic.twitter.com/e76LF2DErY
Show this thread -
-
Add highlight for impersonation! I ran the hotkey task while recording lots of stuff going on, but nothing that screams easily exploitable.... much is very likely exploitable- but i am searching for the lovest hanging fruitpic.twitter.com/nhgEaC9NXL
Show this thread -
WTF is it trying to open there? pc....assistant? I dont need no fucking assistance! Oh fuck there is also an uwp app installed- that is just fantasticpic.twitter.com/ZQWSC1V3Fl
Show this thread -
HAH! they included idl for their liveupdate RPC https://pastebin.com/raw/Q2pfn9xp
Show this thread -
okay its a massive shit show with weibo facebook google auth etc. that enable access to tracking apis claiming you get gifts or something- at least there is also test logins and test urls embeddedpic.twitter.com/mPMnTguygH
Show this thread -
I enable the device portal- that is only way i know to run an metro app without having a appx reparse pointpic.twitter.com/6RE3ELln4t
Show this thread -
hmmm- i have uninstalled it as my user but it lives on for system and cannot be removed or executed as an user...wtfpic.twitter.com/sjsQ3vuGsn
Show this thread -
This is not stupid actually...this way the app have full access out if the uwp sandbox - but there is no gui option to remove it.... fuck you asus- i will document how to do itpic.twitter.com/PMqZ3lZiBv
Show this thread -
And the files get kernel protection so not even a driver or any kind of privelegie or user group can tamper with the files....pic.twitter.com/O5QrMTSyJF
Show this thread -
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.