Ah, good to know that there's people still making a complete mockery of windows even now.
Do note that VBS mitigates a majority of 'buffer overflow' exploits and Microsoft has historically shown to brush off these vulnerabilities so that 100k bounty is pretty far fetched.
Any WMI operation does touch the disk (because it's a database), but similar to any kind of other database they're mixed with writes that happen in a normal environment and are not really possible to tell between malicious applications.
WMI requires administrator privileges to write so the privilege escalation is not that interesting except in limited environments (and Microsoft has also shown in the past that they don't care about these), which is fair considering you can't call 'sudo' a security vulnerability.
Zerodium and similar 0day sweatshops pays a lot for these 0days. Bug bounty programs directly thru the companies have been documented to screw over researchers.
Zero-day brokers pay in tranches for completed reliable exploits; bug bounties pay in lump sums for (generally) POCs. It's not an apples-apples comparison.
From a Reddit comment [1]: “the repo contains two novel and different ways to run any process as the SYSTEM user. It also disables every antivirus through a novel process privilege deescalation exploit”
I don't know how one can argue (in the reddit thread) Administrator -> SYSTEM is a security vulnerability or even a privilege escalation. The Administrator can grant themselves kernel debug rights!
Quoting the README: "The WMI is an extension of the Windows Driver Model. It's a CIM interface that provides all kinds of information about the system hardware, and provides for a lot of the core functionality in Windows. For example, when you create a startup registry key for an an application, that's really acting on the WMI at boot."
Persistence inside the WMI database is fun. There was a good talk about this at DerbyCon[0] years ago. I think it has gotten more press since several APT groups were using it but it still isn't a well-known persistence mechanism.
The fact that so many critical infrastructure systems still depend on Windows is absurd (I say from my Windows machine). Great find! Thank you for sharing.
Yeah, the AV thing was what gave me pause. The only thing I miss about Windows is ESET's Nod32. Best AV I've ever used. I know they have a Mac version now but I don't see the point in getting it.
Ah, good to know that there's people still making a complete mockery of windows even now.
Do note that VBS mitigates a majority of 'buffer overflow' exploits and Microsoft has historically shown to brush off these vulnerabilities so that 100k bounty is pretty far fetched.
Any WMI operation does touch the disk (because it's a database), but similar to any kind of other database they're mixed with writes that happen in a normal environment and are not really possible to tell between malicious applications.
WMI requires administrator privileges to write so the privilege escalation is not that interesting except in limited environments (and Microsoft has also shown in the past that they don't care about these), which is fair considering you can't call 'sudo' a security vulnerability.
Zerodium and similar 0day sweatshops pays a lot for these 0days. Bug bounty programs directly thru the companies have been documented to screw over researchers.
Zero-day brokers pay in tranches for completed reliable exploits; bug bounties pay in lump sums for (generally) POCs. It's not an apples-apples comparison.
Can confirm.
From a Reddit comment [1]: “the repo contains two novel and different ways to run any process as the SYSTEM user. It also disables every antivirus through a novel process privilege deescalation exploit”
[1] https://old.reddit.com/r/ReverseEngineering/comments/1icgfua...
I don't know how one can argue (in the reddit thread) Administrator -> SYSTEM is a security vulnerability or even a privilege escalation. The Administrator can grant themselves kernel debug rights!
Sticky keys into SYSTEM console; same as always.
Quoting the README: "The WMI is an extension of the Windows Driver Model. It's a CIM interface that provides all kinds of information about the system hardware, and provides for a lot of the core functionality in Windows. For example, when you create a startup registry key for an an application, that's really acting on the WMI at boot."
Persistence inside the WMI database is fun. There was a good talk about this at DerbyCon[0] years ago. I think it has gotten more press since several APT groups were using it but it still isn't a well-known persistence mechanism.
[0] https://www.irongeek.com/i.php?page=videos/derbycon5/break-m...
The real value in this: a new way to more easily disable Windows Defender on Windows 11.
So where is the data actually stored if it "never touches the disk"? Is it some UEFI or BIOS thing?
The fact that so many critical infrastructure systems still depend on Windows is absurd (I say from my Windows machine). Great find! Thank you for sharing.
I wonder why this person didn’t submit this to Microsoft for a billion dollars.
Because this has no actual value for anyone and MS would (did?) ignore him.
Surely MS has bug bounty programs, no? Maybe I'm missing something.
You're missing the fact that there is basically no bug here.
All this does is:
* Store data in a database.
* Kill AV software provided you have admin privileges.
The latter might be remediated by MS down the line, but they don't generally give bounties.
Yeah, the AV thing was what gave me pause. The only thing I miss about Windows is ESET's Nod32. Best AV I've ever used. I know they have a Mac version now but I don't see the point in getting it.
Yes they do for credible threats. Otherwise there is the Windows Feedback Hub ;)