Update: There has been new PsExec versions released in 2021 (v2.30 and v2.32), we confirmed them to also be vulnerable to this Local Privilege Escalation with minor PoC adjustments. So…this one’s been here for a while: a local privilege escalation vulnerability in PsExec. This local privilege escalation allows a non-admin…

MX Player is an Android App that you can find on the Google Play Store, having over 500M downloads. While this is a video player app, we won’t be attacking it with malformed video files. Instead I attacked the video sharing feature it had. This video sharing feature is a…

Remotely Leaking Antivirus Memory Recently, I disclosed a couple vulnerabilities in Webroot Secure Anywhere Antivirus, one of them being a standard Local Privilege Escalation via DLL hijack in %PROGRAMDATA% path. However, instead of writing about that, I felt it would be more interesting to go over CVE-2020–5754, a remotely exploitable…

UPDATED 5/20/2020: The blog post was updated to reflect the availability of updated versions of Signal on the Google Play Store and Apple App Store. Signal Private Messenger’s ease of use, multiplatform support, and end-to-end encryption for both text and calls have attracted millions of users per day. …

I‘m going to share an (ab)use of a Windows feature which can result in bypassing User Group Policy (as well as a few other interesting things). Bypassing User Group Policy is not the end of the world, but it’s also not something that should be allowed and depending on User…

Quick note: This research was a joint effort between Joseph Bingham and David Wells. The Discord chat app was the target of our latest research project. While this blog will not be covering any exploits, we will share what we learned about the Discord call protocol, and share our insights…

README Recently, I found a Kernel Write-What-Where vulnerability in Qualcomm Atheros WLAN Driver Service (QcomWlanSrvx64.exe) version 12.0.0.825, that came default on the Dell XPS I ordered. The affected kernel-mode component was Qcamain10x64.sys. I discovered this on what I thought was the latest Qualcomm Atheros service at the time (after fully updating…

Antivirus (AV) is a great target for vulnerability hunting: Large attack surface, complex parsing, and various components executing with high privileges. So a couple of months ago, I decided looked at the latest Comodo Antivirus v12.0.0.6810. I ended up finding a few cool things, however one I thought was worth…

A great way to learn any operating system (OS) is studying the OS’s APIs. Today we will be looking at SetThreadContext, a powerful and commonly seen API that is capable of changing the registers of remote threads. There are many use cases for such API, but security folk in particular…