Zero Day Initiative | Blog
Follow
Breaking Barriers and Assumptions: Techniques for Privilege Escalation on Windows: Part 3
This blog introduces a technique for converting an on-boot arbitrary delete primitive into an on-demand one. It involves removing the SA.DAT file from C:\Windows\Tasks, creating a junction in its place, and redirecting the deletion of a .job file to C:\Config.Msi::$INDEX_ALLOCATION.To make debugging protected processes easier, a tool was created to launch processes as protected ones, allowing for detailed inspection using Procmon and WinDbg.During disclosures, the authors faced difficulties with Intel Corporation rejecting a vulnerability report due to a narrow interpretation of their bug bounty program, despite providing detailed justifications for remediation.PaperCut was criticized for downplaying the severity of vulnerabilities in public advisories, potentially misleading users about risks, and not adequately addressing them in their security posture.The research resulted in the disclosure of several vulnerabilities that have been patched: CVE-2024-3037, CVE-2024-4454, CVE-2024-2003, CVE-2024-0353, and CVE-2024-3037.However, 14 vulnerabilities remain unpatched and are being released as zero-day vulnerabilities: ZDI-CAN-22238, ZDI-CAN-22260, ZDI-CAN-22272, ZDI-CAN-22803, and ZDI-CAN-22804.