​Foreword
ACTIVECYBER has incorporated NPK into our arsenal of tools for penetration testing with clients, and we believe that sharing this with our ACTIVELabs library of resources would be beneficial to the community.

​Password hashes are an essential part of many security assessments. Recovering plaintext passwords from these hashes can be crucial in a penetration test. However, hash cracking can be a challenging task for any penetration team as hashing is not reversible. The process involves making guesses about the original password, hashing them, and comparing the results with the available hash. Many tools like John the Ripper and Hashcat are available for cracking a variety of hash types, but the biggest challenge lies in the hardware.

​GeForce Experience is the companion application to your GeForce GTX graphics card. It keeps your drivers up to date, automatically optimizes your game settings, and gives you the easiest way to share your greatest gaming moments with friends. It also regularly downloads new game profiles which are essentially collections of settings that control what your graphics driver does when it loads specific games. We have identified DLL Hijacking vulnerability in GeForce Experience software in late 2019 (see link for more details) and decided to revisit said software again this year. This led to the discovery of CVE-2020-5978 and CVE-2020-5990 within the same component, that is GAMESTREAM. However, in this blog post we will only go over CVE-2020-5990 because it’s more interesting from an exploitation standpoint.

​The AppX Deployment Service (AppXSVC) on Microsoft Windows suffers from an arbitrary file/directory deletion vulnerability that could be triggered by standard non-privileged users due to improper user impersonation during the removal process of any application from the Windows App Store (also known as Microsoft Store) leading to an elevation of privileges attack. Now, before we dive into the finding details, let's briefly talk about the vulnerable service and Microsoft Store applications.

​Overwolf is a software platform designed to help developers create extensions for video games, which are then offered to users through Overwolf's App Store. The extensions are often focused on providing in-game services that would normally require a user to exit the game, such as the use of a web browser or an IM client. Other extensions provide game-specific features that can remind users about certain in-game events, easing the game experience. The platform has gained traction in competitive video games, such as eSports and MMORPGs, where native extensions are often forbidden due to concerns about cheating. Overwolf extensions sidestep this concern since they do not interact with the game engine; they operate exclusively on the overlay created by the main Overwolf program.

Vulnerability Type:
Privilege Escalation
Vendors:
IDrive Inc.
CVE ID:
CVE-2020-15351
Affected Products:

• IDrive for Windows prior to version 6.7.3.19

Summary:
​IDrive for Windows prior to version 6.7.3.19 installs by default to “C:\Program Files(x86)\IDriveWindows” with weak folder permissions granting any user modify permission “NT AUTHORITY\Authenticated Users:(OI)(CI)(M)” to the contents of the directory and it's sub-folders. In addition, the program installs a service called “IDriveService” which runs as Local system, this will allow any standard user to escalate privileges to “NT AUTHORITY\SYSTEM” by substituting the service's binary with malicious one.

​Vulnerability Type:
Privilege Escalation
Vendors:
G.SKILL International Enterprise Co., Ltd.
CVE ID:
CVE-2020-12446
Affected Products:

• Trident Z Lighting Control v1.00.08 and older

Summary:
​ene.sys driver in Trident Z Lighting Control v1.00.08 exposes mapping and un-mapping of physical memory, reading and writing to Model Specific Register (MSR) registers, and input from and output to I/O ports to local non-privileged users which leads to privilege escalation as “NT AUTHORITY\SYSTEM”.

​Docker is a tool designed to make it easier to create, deploy, and run applications by using containers. Containers allow a developer to package an application with all of the parts it needs, such as libraries and dependencies, then deploy it as one package. By doing so, thanks to the container, the developer can rest assured that the application will run on any other machine regardless of any customized settings that machine might have which could differ from the machine used for writing and testing the code. Docker Desktop is used for building and sharing containerized applications and microservices for Mac and Windows machines. 

​CORSAIR is considered one of the world’s leading providers for high-performance PC peripherals and components. It offers a complete range of products to equip gamers and content creators, including keyboards, mice, headsets, capture cards, studio controllers, etc. While researching the interface software that is CORSAIR iCUE v3.23.66 (the latest at the time of research), we’ve found that said software installs a driver that will allow low privileged users to map an arbitrary physical memory which leads to local privilege escalation.

Recently, we found a Kernel logic bug in Viper RGB software version 1.0 which is used to manage Viper Gaming DRAM memory modules. The affected component of said software was MsIo64.sys/MsIo32.sys driver which was then utilized to achieve Local Privilege Escalation. The following is the process used to identify and exploit the security vulnerability. Let’s start off by examining the device permissions.