HackAndPwn
Security & Vulnerability Researcher / Professional Penetration Tester

Home

  • Windows 7 ESU Patching

    With the May 2020 Windows 7 updates, I went on a mission to determine the minimum set of updates needed to enable all features within Windows 7, including optional hotfixes, and to have the most up-to-date installation possible. After extensive testing, I concluded that 42 updates not offered through Windows Update would need to be installed to reach this objective. The following sections describe the updates required and provide links to each.


  • Windows 7 ESU Analysis Updates

    The original Windows 7 ESU Analysis can be found here. With the September 2020 Cumulative Update, the technique as described no longer works to install this update. However, only slight modifications need to be made in order for this new update to also install.


  • CVE-2022-36414

    There is an elevation of privilege breakout vulnerability in the Windows EXE installer in Scooter Beyond Compare 4.2.0 through 4.4.2 before 4.4.3. Affected versions allow a logged-in user to run applications with elevated privileges via the Clipboard Compare tray app after installation.


  • CVE-2022-36415

    A DLL hijacking vulnerability exists in the uninstaller in Scooter Beyond Compare 1.8a through 4.4.2 before 4.4.3 when installed via the EXE installer. The uninstaller attempts to load DLLs out of a Windows Temp folder. If a standard user places malicious DLLs in the C:\Windows\Temp\ folder, and then the uninstaller is run as SYSTEM, the DLLs will execute with elevated privileges.


  • CVE-2022-30570

    The Column Based Security component of TIBCO Software Inc.’s TIBCO Data Virtualization and TIBCO Data Virtualization for AWS Marketplace contains an easily exploitable vulnerability that allows a low privileged attacker with network access to obtain read access to application information on the affected system. Affected releases are TIBCO Software Inc.’s TIBCO Data Virtualization: versions 8.5.2 and below and TIBCO Data Virtualization for AWS Marketplace: versions 8.5.2 and below.


  • CVE-2022-31012

    Git for Windows is a fork of Git that contains Windows-specific patches. This vulnerability in versions prior to 2.37.1 lets Git for Windows’ installer execute a binary into C:\mingw64\bin\git.exe by mistake. This only happens upon a fresh install, not when upgrading Git for Windows. A patch is included in version 2.37.1. Two workarounds are available. Create the C:\mingw64 folder and remove read/write access from this folder, or disallow arbitrary authenticated users to create folders in C:.


  • CVE-2022-2145

    Cloudflare WARP client for Windows (up to v. 2022.5.309.0) allowed creation of mount points from its ProgramData folder. During installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files.


  • CVE-2022-29093

    Dell SupportAssist Client Consumer versions (3.10.4 and versions prior) and Dell SupportAssist Client Commercial versions (3.1.1 and versions prior) contain an arbitrary file deletion vulnerability. Authenticated non-admin user could exploit the issue and delete arbitrary files on the system.


  • CVE-2022-29094

    Dell SupportAssist Client Consumer versions (3.10.4 and versions prior) and Dell SupportAssist Client Commercial versions (3.1.1 and versions prior) contain an arbitrary file deletion/overwrite vulnerability. Authenticated non-admin user could exploit the issue and delete or overwrite arbitrary files on the system.


  • CVE-2022-26865

    Dell Support Assist OS Recovery versions before 5.5.2 contain an Authentication Bypass vulnerability. An unauthenticated attacker with physical access to the system may exploit this vulnerability by bypassing OS Recovery authentication in order to run arbitrary code on the system as Administrator.


  • CVE-2022-24767

    Git for Windows is a fork of Git containing Windows-specific patches. Since part of Git for Windows’ uninstaller is copied into the current user’s temporary directory and run in that place, it is important to ensure that there are no malicious .dll file in that directory that might be loaded as part of loading the executable. However, the default system settings for TMP and TEMP are to point to C:\Windows\Temp, a folder that is world-writable (for historical reasons), and the SYSTEM user account inherits those settings. This means that any authenticated user can place malicious .dll files that are loaded when Git for Windows’ uninstaller is run via the SYSTEM account. Fixes are available in Git for Windows v2.35.2 or newer. Users unable to upgrade may override SYSTEM’s TMP environment variable to point to a directory exclusively under SYSTEM’s control before running the uninstaller, clear C:\Windows\Temp of all .dll files before running the uninstaller, or run the uninstaller under an admin account rather than SYSTEM as a workaround.


  • CVE-2022-28247

    Acrobat Reader DC version 22.001.2011x (and earlier), 20.005.3033x (and earlier) and 17.012.3022x (and earlier) are affected by an uncontrolled search path vulnerability that could lead to local privilege escalation. Exploitation of this issue requires user interaction in that a victim must run the uninstaller with Admin privileges.


  • CVE-2022-22665

    Apple macOS AppKit - A malicious application may be able to gain root privileges.


  • CVE-2022-24525

    Windows Update Stack Elevation of Privilege Vulnerability


  • CVE-2022-26488

    In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services. This affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2.


  • CVE-2022-22943

    VMware Tools for Windows (11.x.y and 10.x.y prior to 12.0.0) contains an uncontrolled search path vulnerability. A malicious actor with local administrative privileges in the Windows guest OS, where VMware Tools is installed, may be able to execute code with system privileges in the Windows guest OS due to an uncontrolled search path element.


  • CVE-2021-42563

    There is an Unquoted Service Path in NI Service Locator (nisvcloc.exe) in versions prior to 18.0 on Windows. This may allow an authorized local user to insert arbitrary code into the unquoted service path and escalate privileges.


  • CVE-2020-11632

    Fixes an unquoted service path vulnerability.


  • CVE-2021-1427

    A vulnerability in the upgrade process of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device.


  • CVE-2021-1428

    A vulnerability in the upgrade process of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device.


  • CVE-2021-1429

    A vulnerability in the install process of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform an executable hijacking attack on an affected device.


  • CVE-2021-1430

    A vulnerability in the upgrade process of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device.


  • CVE-2021-1496

    A vulnerability in the install process of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform an executable hijacking attack on an affected device.


  • CVE-2021-23878

    Clear text storage of sensitive Information in memory vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2021 Update allows a local user to view ENS settings and credentials via accessing process memory after the ENS administrator has performed specific actions.


  • CVE-2021-23879

    Unquoted service path vulnerability in McAfee Endpoint Product Removal (EPR) Tool prior to 21.2 allows local administrators to execute arbitrary code, with higher-level privileges, via execution from a compromised folder. The tool did not enforce and protect the execution path.


  • CVE-2021-27064

    A remote code execution vulnerability exists when the Visual Studio installer executes the feedback client in an elevated state.


  • CVE-2021-33907

    Windows Zoom Installer Digital Signature Bypass - The Zoom Client for Meetings for Windows in all versions before 5.3.0 fails to properly validate the certificate information used to sign .msi files when performing an update of the client. This could lead to remote code execution in an elevated privileged context.


  • CVE-2021-34408

    Zoom MSI Installer Elevated Write Using A Junction - A user-writable directory created during the installation of the Zoom Client for Meetings for Windows version prior to version 5.3.2 can be redirected to another location using a junction. This would allow an attacker to overwrite files that a limited user would otherwise be unable to modify.


  • CVE-2021-34409

    MacOS Installer Privilege Escalation - User-writable pre and post-install scripts unpacked during the Zoom Client for Meetings for MacOS installation before version 5.2.0 allow for privilege escalation to root.


  • CVE-2021-34410

    Zoom Plugin for Microsoft Outlook (MacOS) Installer Root App Privilege Escalation - A user-writable application bundle unpacked during the install for all versions of the Zoom Plugin for Microsoft Outlook for Mac before 5.0.25611.0521 allows for privilege escalation.


  • CVE-2021-34411

    Zoom Rooms Installer Local Privilege Escalation - During the installation process for Zoom Rooms for Conference Room for Windows before version 5.3.0 it is possible to launch Internet Explorer with elevated privileges. If the installer was launched with elevated privileges such as by SCCM this can result in a local privilege escalation.


  • CVE-2021-34412

    Zoom for Windows Installer Local Privilege Escalation - During the installation process for all versions of the Zoom Client for Meetings for Windows before 5.4.0, it is possible to launch Internet Explorer. If the installer was launched with elevated privileges such as by SCCM this can result in a local privilege escalation.


  • CVE-2021-34413

    Zoom MacOS Outlook Plugin Installer Local Privilege Escalation - All versions of the Zoom Plugin for Microsoft Outlook for MacOS before 5.3.52553.0918 contain a Time-of-check Time-of-use (TOC/TOU) vulnerability during the plugin installation process. This could allow a standard user to write their own malicious application to the plugin directory, allowing the malicious application to execute in a privileged context.


  • CVE-2021-22037

    Under certain circumstances, when manipulating the Windows registry, InstallBuilder uses the reg.exe system command. The full path to the command is not enforced, which results in a search in the search path until a binary can be identified. This makes the installer/uninstaller vulnerable to Path Interception by Search Order Hijacking, potentially allowing an attacker to plant a malicious reg.exe command so it takes precedence over the system command. The vulnerability only affects Windows installers.


  • CVE-2021-22038

    On Windows, the uninstaller binary copies itself to a fixed temporary location, which is then executed (the originally called uninstaller exits, so it does not block the installation directory). This temporary location is not randomized and does not restrict access to Administrators only so a potential attacker could plant a binary to replace the copied binary right before it gets called, thus gaining Administrator privileges (if the original uninstaller was executed as Administrator). The vulnerability only affects Windows installers.


  • Windows 7 ESU Analysis

    The Windows 7 free security update window closed to consumers in January of 2020. However, due to the overwhelming popularity of the OS, Microsoft began offering Extended Security Updates (ESU) for the Operating System. The first update preparing a Windows 7 system for this next phase of patches is KB4528069. This post dissects the KB4528069 update to understand how ESUs differ from standard Windows 7 updates.


  • CVE-2020-16268

    The MSI installer in 1E Client 4.1.0.267 and 5.0.0.745 allows remote authenticated users and local users to gain elevated privileges via the repair option. This applies to installations that have a TRANSFORM (MST) with the option to disable the installation of the Nomad module. An attacker may craft a .reg file in a specific location that will be able to write to any registry key as an elevated user.


  • CVE-2020-27643

    The %PROGRAMDATA%\1E\Client directory in 1E Client 5.0.0.745 and 4.1.0.267 allows remote authenticated users and local users to create and modify files in protected directories (where they would not normally have access to create or modify files) via the creation of a junction point to a system directory.


  • CVE-2020-27644

    The Inventory module of the 1E Client 5.0.0.745 doesn’t handle an unquoted path when executing %PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe. This may allow remote authenticated users and local users to gain elevated privileges by placing a malicious file called cryptbase.dll to the C:\Windows\Temp.


  • CVE-2020-27645

    The Inventory module of the 1E Client 5.0.0.745 doesn’t handle an unquoted path when executing %PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe. This may allow remote authenticated users and local users to gain elevated privileges.


  • CVE-2020-7316

    Unquoted service path vulnerability in McAfee File and Removable Media Protection (FRP) prior to 5.3.0 allows local users to execute arbitrary code, with higher privileges, via execution and from a compromised folder. This issue may result in files not being encrypted when a policy is triggered.


  • CVE-2020-7331

    Unquoted service executable path in McAfee Endpoint Security (ENS) prior to 10.7.0 November 2020 Update allows local users to cause a denial of service and malicious file execution via carefully crafted and named executable files.



  • CVE-2020-7323

    Authentication Protection Bypass vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 September 2020 Update allows physical local users to bypass the Windows lock screen via triggering certain detection events while the computer screen is locked and the McTray.exe is running with elevated privileges.


  • CVE-2019-3585

    Privilege Escalation vulnerability in Microsoft Windows client (McTray.exe) in McAfee VirusScan Enterprise (VSE) 8.8 prior to Patch 14 may allow local users to interact with the On-Access Scan Messages - Threat Alert Window with elevated privileges via running McAfee Tray with elevated privileges.


  • CVE-2019-3588

    Privilege Escalation vulnerability in Microsoft Windows client (McTray.exe) in McAfee VirusScan Enterprise (VSE) 8.8 prior to Patch 14 may allow unauthorized users to interact with the On-Access Scan Messages - Threat Alert Window when the Windows Login Screen is locked.


  • CVE-2020-11443

    The Zoom IT installer for Windows (ZoomInstallerFull.msi) prior to version 4.6.10 deletes files located in %APPDATA%\Zoom before installing an updated version of the client. Standard users are able to write to this directory, and can write links to other directories on the machine. As the installer runs with SYSTEM privileges and follows these links, a user can cause the installer to delete files otherwise not deletable by the user.


  • CVE-2020-7255

    Privilege escalation vulnerability in the administrative user interface in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2020 Update allows local users to gain elevated privileges via a configuration error.


  • CVE-2020-7274

    Privilege escalation vulnerability in McTray.exe in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 April 2020 Update allows local users to spawn unrelated processes with elevated privileges via the system administrator granting McTray.exe elevated privileges.


  • CVE-2019-3637

    Privilege Escalation vulnerability in McAfee FRP 5.x earlier than 5.1.0.209 allows local users to gain elevated privileges via running McAfee Tray with elevated privileges.


  • CVE-2019-3621

    Authentication protection bypass vulnerability in McAfee Data Loss Prevention Endpoint (DLP Endpoint) for Windows 11.x prior to 11.3.0 allows a physical local user to bypass the Windows lock screen via DLP Endpoint processes being killed just prior to the screen being locked or when the screen is locked.


  • CVE-2018-10959

    Mitre and NVD have recently made this 7.5 high severity CVE public, describing the vulnerability as an Untrusted Search Path vulnerability, exploitable by modifying environment variables to trigger automatic elevation of an attacker’s process launch.


  • CVE-2018-6689

    Authentication bypass vulnerability in McAfee Data Loss Prevention Endpoint (DLP Endpoint) 10.0.x earlier than 10.0.510, and 11.0.x earlier than 11.0.600 allows attackers to bypass local security protection via specific conditions.


  • CVE-2018-6674

    When the process McTray.exe runs with elevated privileges, VSE might spawn a process inheriting the parent’s privileges. This issue exposes the system to be manipulated by an attacker.


buy me a coffee