HackAndPwn
Security & Vulnerability Researcher / Professional Penetration Tester

  • CVE-2020-11632

    Fixes an unquoted service path vulnerability.


  • CVE-2021-1427

    A vulnerability in the upgrade process of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device.


  • CVE-2021-1428

    A vulnerability in the upgrade process of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device.


  • CVE-2021-1429

    A vulnerability in the install process of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform an executable hijacking attack on an affected device.


  • CVE-2021-1430

    A vulnerability in the upgrade process of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device.


  • CVE-2021-1496

    A vulnerability in the install process of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform an executable hijacking attack on an affected device.


  • CVE-2021-23878

    Clear text storage of sensitive Information in memory vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2021 Update allows a local user to view ENS settings and credentials via accessing process memory after the ENS administrator has performed specific actions.


  • CVE-2021-23879

    Unquoted service path vulnerability in McAfee Endpoint Product Removal (EPR) Tool prior to 21.2 allows local administrators to execute arbitrary code, with higher-level privileges, via execution from a compromised folder. The tool did not enforce and protect the execution path.


  • CVE-2021-27064

    A remote code execution vulnerability exists when the Visual Studio installer executes the feedback client in an elevated state.


  • CVE-2021-33907

    Windows Zoom Installer Digital Signature Bypass - The Zoom Client for Meetings for Windows in all versions before 5.3.0 fails to properly validate the certificate information used to sign .msi files when performing an update of the client. This could lead to remote code execution in an elevated privileged context.


  • CVE-2021-34408

    Zoom MSI Installer Elevated Write Using A Junction - A user-writable directory created during the installation of the Zoom Client for Meetings for Windows version prior to version 5.3.2 can be redirected to another location using a junction. This would allow an attacker to overwrite files that a limited user would otherwise be unable to modify.


  • CVE-2021-34409

    MacOS Installer Privilege Escalation - User-writable pre and post-install scripts unpacked during the Zoom Client for Meetings for MacOS installation before version 5.2.0 allow for privilege escalation to root.


  • CVE-2021-34410

    Zoom Plugin for Microsoft Outlook (MacOS) Installer Root App Privilege Escalation - A user-writable application bundle unpacked during the install for all versions of the Zoom Plugin for Microsoft Outlook for Mac before 5.0.25611.0521 allows for privilege escalation.


  • CVE-2021-34411

    Zoom Rooms Installer Local Privilege Escalation - During the installation process for Zoom Rooms for Conference Room for Windows before version 5.3.0 it is possible to launch Internet Explorer with elevated privileges. If the installer was launched with elevated privileges such as by SCCM this can result in a local privilege escalation.


  • CVE-2021-34412

    Zoom for Windows Installer Local Privilege Escalation - During the installation process for all versions of the Zoom Client for Meetings for Windows before 5.4.0, it is possible to launch Internet Explorer. If the installer was launched with elevated privileges such as by SCCM this can result in a local privilege escalation.


  • CVE-2021-34413

    Zoom MacOS Outlook Plugin Installer Local Privilege Escalation - All versions of the Zoom Plugin for Microsoft Outlook for MacOS before 5.3.52553.0918 contain a Time-of-check Time-of-use (TOC/TOU) vulnerability during the plugin installation process. This could allow a standard user to write their own malicious application to the plugin directory, allowing the malicious application to execute in a privileged context.


  • Windows 7 ESU Patching

    With the May 2020 Windows 7 updates, I went on a mission to determine the minimum set of updates needed to enable all features within Windows 7, including optional hotfixes, and to have the most up-to-date installation possible. After extensive testing, I concluded that 35 updates not offered through Windows Update would need to be installed to reach this objective. The following sections describe the updates required and provide links to each.


  • Windows 7 ESU Analysis Updates

    The original Windows 7 ESU Analysis can be found here. With the September 2020 Cumulative Update, the technique as described no longer works to install this update. However, only slight modifications need to be made in order for this new update to also install.


  • Windows 7 ESU Analysis

    The Windows 7 free security update window closed to consumers in January of 2020. However, due to the overwhelming popularity of the OS, Microsoft began offering Extended Security Updates (ESU) for the Operating System. The first update preparing a Windows 7 system for this next phase of patches is KB4528069. This post dissects the KB4528069 update to understand how ESUs differ from standard Windows 7 updates.


  • CVE-2020-16268

    The MSI installer in 1E Client 4.1.0.267 and 5.0.0.745 allows remote authenticated users and local users to gain elevated privileges via the repair option. This applies to installations that have a TRANSFORM (MST) with the option to disable the installation of the Nomad module. An attacker may craft a .reg file in a specific location that will be able to write to any registry key as an elevated user.


  • CVE-2020-27643

    The %PROGRAMDATA%\1E\Client directory in 1E Client 5.0.0.745 and 4.1.0.267 allows remote authenticated users and local users to create and modify files in protected directories (where they would not normally have access to create or modify files) via the creation of a junction point to a system directory.


  • CVE-2020-27644

    The Inventory module of the 1E Client 5.0.0.745 doesn’t handle an unquoted path when executing %PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe. This may allow remote authenticated users and local users to gain elevated privileges by placing a malicious file called cryptbase.dll to the C:\Windows\Temp.


  • CVE-2020-27645

    The Inventory module of the 1E Client 5.0.0.745 doesn’t handle an unquoted path when executing %PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe. This may allow remote authenticated users and local users to gain elevated privileges.


  • CVE-2020-7316

    Unquoted service path vulnerability in McAfee File and Removable Media Protection (FRP) prior to 5.3.0 allows local users to execute arbitrary code, with higher privileges, via execution and from a compromised folder. This issue may result in files not being encrypted when a policy is triggered.


  • CVE-2020-7331

    Unquoted service executable path in McAfee Endpoint Security (ENS) prior to 10.7.0 November 2020 Update allows local users to cause a denial of service and malicious file execution via carefully crafted and named executable files.



  • CVE-2020-7323

    Authentication Protection Bypass vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 September 2020 Update allows physical local users to bypass the Windows lock screen via triggering certain detection events while the computer screen is locked and the McTray.exe is running with elevated privileges.


  • CVE-2019-3585

    Privilege Escalation vulnerability in Microsoft Windows client (McTray.exe) in McAfee VirusScan Enterprise (VSE) 8.8 prior to Patch 14 may allow local users to interact with the On-Access Scan Messages - Threat Alert Window with elevated privileges via running McAfee Tray with elevated privileges.


  • CVE-2019-3588

    Privilege Escalation vulnerability in Microsoft Windows client (McTray.exe) in McAfee VirusScan Enterprise (VSE) 8.8 prior to Patch 14 may allow unauthorized users to interact with the On-Access Scan Messages - Threat Alert Window when the Windows Login Screen is locked.


  • CVE-2020-11443

    The Zoom IT installer for Windows (ZoomInstallerFull.msi) prior to version 4.6.10 deletes files located in %APPDATA%\Zoom before installing an updated version of the client. Standard users are able to write to this directory, and can write links to other directories on the machine. As the installer runs with SYSTEM privileges and follows these links, a user can cause the installer to delete files otherwise not deletable by the user.


  • CVE-2020-7255

    Privilege escalation vulnerability in the administrative user interface in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2020 Update allows local users to gain elevated privileges via a configuration error.


  • CVE-2020-7274

    Privilege escalation vulnerability in McTray.exe in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 April 2020 Update allows local users to spawn unrelated processes with elevated privileges via the system administrator granting McTray.exe elevated privileges.


  • CVE-2019-3637

    Privilege Escalation vulnerability in McAfee FRP 5.x earlier than 5.1.0.209 allows local users to gain elevated privileges via running McAfee Tray with elevated privileges.


  • CVE-2019-3621

    Authentication protection bypass vulnerability in McAfee Data Loss Prevention Endpoint (DLP Endpoint) for Windows 11.x prior to 11.3.0 allows a physical local user to bypass the Windows lock screen via DLP Endpoint processes being killed just prior to the screen being locked or when the screen is locked.


  • CVE-2018-10959

    Mitre and NVD have recently made this 7.5 high severity CVE public, describing the vulnerability as an Untrusted Search Path vulnerability, exploitable by modifying environment variables to trigger automatic elevation of an attacker’s process launch.


  • CVE-2018-6689

    Authentication bypass vulnerability in McAfee Data Loss Prevention Endpoint (DLP Endpoint) 10.0.x earlier than 10.0.510, and 11.0.x earlier than 11.0.600 allows attackers to bypass local security protection via specific conditions.


  • CVE-2018-6674

    When the process McTray.exe runs with elevated privileges, VSE might spawn a process inheriting the parent’s privileges. This issue exposes the system to be manipulated by an attacker.


buy me a coffee