Powered by ACTIVECYBER, LLC
Powered by ACTIVECYBER, LLC
Overwolf is a software platform designed to help developers create extensions for video games, which are then offered to users through Overwolf's App Store. The extensions are often focused on providing in-game services that would normally require a user to exit the game, such as the use of a web browser or an IM client. Other extensions provide game-specific features that can remind users about certain in-game events, easing the game experience. The platform has gained traction in competitive video games, such as eSports and MMORPGs, where native extensions are often forbidden due to concerns about cheating. Overwolf extensions sidestep this concern since they do not interact with the game engine; they operate exclusively on the overlay created by the main Overwolf program.
IDrive for Windows prior to version 18.104.22.168 installs by default to “C:\Program Files(x86)\IDriveWindows” with weak folder permissions granting any user modify permission “NT AUTHORITY\Authenticated Users:(OI)(CI)(M)” to the contents of the directory and it's sub-folders. In addition, the program installs a service called “IDriveService” which runs as Local system, this will allow any standard user to escalate privileges to “NT AUTHORITY\SYSTEM” by substituting the service's binary with malicious one.
G.SKILL International Enterprise Co., Ltd.
ene.sys driver in Trident Z Lighting Control v1.00.08 exposes mapping and un-mapping of physical memory, reading and writing to Model Specific Register (MSR) registers, and input from and output to I/O ports to local non-privileged users which leads to privilege escalation as “NT AUTHORITY\SYSTEM”.
Docker is a tool designed to make it easier to create, deploy, and run applications by using containers. Containers allow a developer to package an application with all of the parts it needs, such as libraries and dependencies, then deploy it as one package. By doing so, thanks to the container, the developer can rest assured that the application will run on any other machine regardless of any customized settings that machine might have which could differ from the machine used for writing and testing the code. Docker Desktop is used for building and sharing containerized applications and microservices for Mac and Windows machines.
CORSAIR is considered one of the world’s leading providers for high-performance PC peripherals and components. It offers a complete range of products to equip gamers and content creators, including keyboards, mice, headsets, capture cards, studio controllers, etc. While researching the interface software that is CORSAIR iCUE v3.23.66 (the latest at the time of research), we’ve found that said software installs a driver that will allow low privileged users to map an arbitrary physical memory which leads to local privilege escalation.
Recently, we found a Kernel logic bug in Viper RGB software version 1.0 which is used to manage Viper Gaming DRAM memory modules. The affected component of said software was MsIo64.sys/MsIo32.sys driver which was then utilized to achieve Local Privilege Escalation. The following is the process used to identify and exploit the security vulnerability. Let’s start off by examining the device permissions.
GeForce Experience is the companion application to your GeForce GTX graphics card. It keeps your drivers up to date, automatically optimizes your game settings, and gives you the easiest way to share your greatest gaming moments with friends. It also regularly downloads new game profiles which are essentially collections of settings that control what your graphics driver does when it loads specific games. In this blog post, we will walkthrough identifying and exploiting a Local Privilege Escalation vulnerability we found in GeForce Experience version 22.214.171.124 (the latest as of this writing) and older.
With the notable increase in the number of symbolic link elevation of privileges vulnerabilities on Windows platforms as of late, we at ACTIVELabs have set a goal for ourselves to find a new one. This blog post will detail finding and exploiting said vulnerability in Netwrix Auditor version 9.7 and earlier. Please note, abusing symbolic links has been leveraged for years now, particularly in the *nix world to achieve local privilege escalation and as such we’ll assume you know the idea behind it and most importantly how it can be abused. Let’s start by examining the problematic log file permissions for the effected software.
While conducting research on insecure Windows Communication Foundation (WCF) endpoints we stumbled upon SolarWinds fleet of products for two reasons; first, they have handful of software that you can test and secondly, most of the services were built using .NET Framework which makes it a strong candidate for our research.
To continue our journey in the realm of bypassing UAC (see previous work here), we’ve decided to investigate Windows Server 2019. Please note this blog post is not a UAC primer but if you need to learn more about the subject, we think Wikipedia is a good place to start. The following is the process used to find a new UAC bypass in systemreset.exe binary using DLL Hijacking method. The technique was tested on Windows Server 2019 Version 1809 (OS Build 17763.404) and its still valid as of this writing.
ACTIVELabs was created in 2018 to hunt and research undiscovered vulnerabilities, report them to vendors via responsible disclosure programs, publish advisories, develop and validate new patches, and to share this information for the advancement of the cybersecurity community. ACTIVELabs was established with the mission of securing our ever-growing client base, partnerships, and the technology community as a whole.
We are actively providing the community with verified findings and research that leads to the creation of new Common Vulnerabilities and Exposures (CVEs) and updates to the National Vulnerability Database (NVD). For a full listing of all of our Advisories, visit our GitHub page here.