Version: Avira Optimizer < 1.2.0.367 Operating System tested on: Windows 10 1803 (x64) Vulnerability: Avira Optimizer Local Privilege Escalation through insecure named pipes Vulnerability Overview When users install the latest Avira antivirus, it comes shipped with a few different components along with it by default. One of these components is…

Version: Snagit 2019.1.2 Build 3596 Operating System tested on: Windows 10 1803 (x64) Vulnerability: SnagIt Relay Classic Recorder Local Privilege Escalation through insecure file move This vulnerability was found in conjunction with Marcus Sailler, Rick Romo and Gary Muller of Capital Group’s Security Testing Team Vulnerability Overview Every 30–60 seconds…

Version: Razer Surround 1.1.63.0 Operating System tested on: Windows 10 1803 (x64) Vulnerability: Razer Surround Elevation of Privilege through Insecure folder/file permissions Purpose I hope that this post serves as a motivator for folks who see vulnerability research as an intimidating area to get started in. While this bug can…

Product Version: Razer Synapse 3 (3.3.1128.112711) Windows Client Downloaded from: https://www.razer.com/downloads Operating System tested on: Windows 10 1803 (x64) Vulnerability: Razer Synapse Windows Service EoP Brief Description: The Razer Synapse software has a service (Razer Synapse Service) that runs as “NT AUTHORITY\SYSTEM” and loads multiple .NET assemblies from “C:\ProgramData\Razer\*”. The…

The process of vulnerability disclosure can be riddled with frustrations, concerns about ethics, and communication failure. I have had tons of bugs go well. I have had tons of bugs go poorly. I submit a lot of bugs, through both bounty programs (Bugcrowd/HackerOne) and direct reporting lines (Microsoft). I’m not…

Device Guard and the enlightened scripting environments that come with it are a lethal combination for disrupting attacker activity. Device Guard will prevent unapproved code from executing while placing scripting languages such as PowerShell and the Windows Scripting Host in a locked down state. In order to operate in such…

As an attacker, initial access can prove to be quite the challenge against a hardened target. When selecting a payload for initial access, an attacker has to select a file format that allows arbitrary code execution or shell command execution with minimal user interaction. These file formats can be sparse…

TL;DR: You can achieve DDE execution with Excel SpreadSheets embedded within OneNote. This bypasses the original Excel mitigation ruleset (Microsoft has released a patch to properly mitigate this) as well as the Protected View sandbox 🙂 Dynamic Data Exchange (DDE) has been a hot topic as of late. For those…

In the past, I have blogged about various methods of lateral movement via the Distributed Component Object Model (DCOM) in Windows. This typically involves identifying a DCOM application that has an exposed method allowing for arbitrary code execution. In this example, I’m going to cover Outlook’s CreateObject() method. If you…