-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Recently two researchers had interesting discoveries regarding YellowKey and GreenPlasma,
The YellowKey is caused by the binary "autofstx.exe" which propagates all present volumes for transaction files, a researcher (unsure if they want to be named) told me that this binary is also present in windows update WinRE images and I think they will definitely have the same vulnerability as well. However, I'm unsure if it's possible to trigger the controlled file deletion when windows is updating. If it's true, then it means disabling WinRE is not a solution for the problem, which also means it's a good thing that I kept the PIN+TPM PoC a secret.
Regarding GreenPlasma, I'm unaware if anyone managed to make a full exploit yet but people are trying hard to make it work as it obviously violate a windows security boundary. The thing is, another researcher noticed one of my techniques to write in a protected registry key in HKCU (which isn't a security boundary) but they also told me that hypothetically speaking, this technique could be used to write in another user's hive which is obviously an EoP.
This technique that I used was inspired by a google project zero finding :
https://project-zero.issues.chromium.org/issues/42451192
After reading this issue, I attempted to figure out how Microsoft patched the issue but I never found out how ? At that point I was a bit too tired so i thought maybe it's something I missed and it's definitely patched. To my surprise, this researcher that reached regarding this thing, have managed to re-reproduce the issue in a fully patched windows 11 machine + windows insider preview. Which means this was an elevation of privileges vulnerability that was sitting in plain sit for god long knows how long.
I have not tested if either YellowKey or GreenPlasma news are true but I believe they are, I uploaded CVE-2020-17103 PoC directly project zero to github in case project zero decides to remove it. It will still be there in github.
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQRJTvAf/AWVhAKEeb7FFoRCS0/SbAUCagY6/AAKCRDFFoRCS0/S
bKCyAP4+yIbtuhyKUm84UHUZmJ3R7H51ySfYfaDdg4RO7aUxhAEA8uv36AM1norC
qnuG00ATch/ugDM8lNHPqM4ywZ6Kxg4=
=rzJa
-----END PGP SIGNATURE-----
No comments:
Post a Comment