I'm publishing some
research today, a major design flaw in Windows that's existed for almost *two decades*. I wrote a blog post on the story of the discovery all the way through to exploitation.
https://googleprojectzero.blogspot.com/2019/08/down-rabbit-hole.html …
-
Show this thread
-
Replying to @taviso
Great post and wonderful research. I have not been able to find the Microsoft Update related to this exploit. I see your attribution for the ALPC privilege escalation, but not the CTF attribution... did Microsoft respond or assign a CVE# ?
1 reply 0 retweets 0 likes -
Replying to @miketlester @taviso
My understanding is that the ALPC component is core to CTF exploitation. So if Microsoft "Fixed" ALPC, then perhaps all of the CTF attacks as outlined may be neutered. Personally, I don't know enough about CTF nor what Microsoft changed in ALPC to know this for sure.
1 reply 0 retweets 0 likes -
For example, compare the output of the July patch level vs. August patch level with the ctftool.exe output. As of August, you can't even enumerate connected clients. To me, that seems like a non-starter.pic.twitter.com/vND5KbBz1f
1 reply 0 retweets 3 likes
I think it stopped working because they changed the connection message format (it has to match or the server won't accept the connection). That can be fixed, and then the edit session attacks should still work. I don't really know why they called it an "ALPC" bug. 
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.