Windows 10 Privilege Escalation (Sound Research SECOMN service) https://github.com/sailay1996/SECOMN_EoP …pic.twitter.com/PkK4d3LWNp
This is the legacy version of twitter.com. We will be shutting it down on June 1, 2020. Please switch to a supported browser, or disable the extension which masks your browser. You can see a list of supported browsers in our Help Center.
Vulnerability Analyst at the CERT/CC. My thoughts are my own, not my employer's.
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
Add this Tweet to your website by copying the code below. Learn more
Add this video to your website by copying the code below. Learn more
By embedding Twitter content in your website or app, you are agreeing to the Twitter Developer Agreement and Developer Policy.
| Country | Code | For customers of |
|---|---|---|
| United States | 40404 | (any) |
| Canada | 21212 | (any) |
| United Kingdom | 86444 | Vodafone, Orange, 3, O2 |
| Brazil | 40404 | Nextel, TIM |
| Haiti | 40404 | Digicel, Voila |
| Ireland | 51210 | Vodafone, O2 |
| India | 53000 | Bharti Airtel, Videocon, Reliance |
| Indonesia | 89887 | AXIS, 3, Telkomsel, Indosat, XL Axiata |
| Italy | 4880804 | Wind |
| 3424486444 | Vodafone | |
| » See SMS short codes for other countries | ||
This timeline is where you’ll spend most of your time, getting instant updates about what matters to you.
Hover over the profile pic and click the Following button to unfollow any account.
When you see a Tweet you love, tap the heart — it lets the person who wrote it know you shared the love.
The fastest way to share someone else’s Tweet with your followers is with a Retweet. Tap the icon to send it instantly.
Add your thoughts about any Tweet with a Reply. Find a topic you’re passionate about, and jump right in.
Get instant insight into what people are talking about now.
Follow more accounts to get instant updates about topics you care about.
See the latest conversations about any topic instantly.
Catch up instantly on the best stories happening as they unfold.
Windows 10 Privilege Escalation (Sound Research SECOMN service) https://github.com/sailay1996/SECOMN_EoP …pic.twitter.com/PkK4d3LWNp
Is there an CVE Number related to this vuln?
I would assert that SECOMN is not the vulnerability. A user-writable path that is in the SYSTEM-wide PATH environment variable is the problem. There are an indefinite number ways to exploit that condition. Check for that condition using this script:https://gist.github.com/wdormann/eb714d1d935bf454eb419a34be266f6f …
You may be correct but most of the user machines in real life already have the user writeable path in env variable. There is a lot of CVE like this vuln. Example:https://www.terabitweb.com/2019/08/17/trend-micro-password-manager-flaw-html/ …
Yeah but without the service to hijack, why would the writable path matter?
For example, take a fully-patched (as of March 2020) Windows 8.1 box that has no additional software on it. Sysinternals Suite binaries are in a directory. We have a user-writable path in the SYSTEM PATH. Let's look at what privileged processes look for when the system boots.pic.twitter.com/9mWteTIVK1
If I put a DLL in that user-writable directory and check after the next reboot? calc.exe as SYSTEM The more software you install, the more possibilities you get. This is why I concluded that finding a service to target is not a problem. The user-writable directory is the problem.pic.twitter.com/R74LHSinZV
So you say that if i have ANY user writable PATH Environment Variable folder nearly every service searches there for the DLL files in the default search order? Or do they only search there for missing files? I could have exploited this config in the past many times :-/
If the user-writable directory is early enough in the search priority, then it could possibly work for libraries that exist elsewhere. But I suspect the most common use case is when a privileged service can't find a library (which is common enough, IMO).
I did not knew that, so i learned one more thing now :-) Really good to know.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.