Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/wdormann/statuses/114319331651837962">Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 17-Apr-2025 22:53:56 JST</a><a href="https://infosec.exchange/@wdormann" title="wdormann@infosec.exchange"><img src="https://gnusocial.jp/avatar/232810-48-20240116185707.webp" width="48" height="48" alt="Will Dormann" style="position: absolute; left: 0; top: 0;">Will Dormann</a><div><a href="https://infosec.exchange/@wdormann/114319281111054638" rel="in-reply-to">in reply to</a></div></section><article><p>Would changing the ACLs to not allow non-admin users the ability to create directories off of C:\ really have a real-world impact of limiting LPEs?</p><p>Absolutely. When you write a tool to look for things (e.g. <a href="https://github.com/vu-ls/crassus" rel="nofollow">Crassus</a>), you see things. Heck, I've seen a privileged service attempt to open files in C:\Program%20Files\, which any non-admin Windows user can create by default.</p><p>But no, even despite being presented with evidence for how this could fix an entire CLASS of LPEs on Windows, MSRC was not interested.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4869453#notice-9617289">In conversation</a><time datetime="2025-04-17T22:53:56+09:00" title="Thursday, 17-Apr-2025 22:53:56 JST">about 14 days ago</time> <span>from <span><a href="https://infosec.exchange/@wdormann/114319331651837962" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@wdormann/114319331651837962">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/4481133">Crassus results with an LPE that can be achieved by creating a directory off of C:\</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/319/328/558/499/280/original/9f375a596e6be1fe.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/319/328/558/499/280/original/9f375a596e6be1fe.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/4481134">Crassus results with an LPE that can be achieved by creating a directory off of C:\</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/319/328/591/059/828/original/be09298e7e7ce5a8.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/319/328/591/059/828/original/be09298e7e7ce5a8.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/4481135">Crassus results with an LPE that can be achieved by creating a directory off of C:\</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/319/328/622/114/978/original/142b3c0de51b5c9b.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/319/328/622/114/978/original/142b3c0de51b5c9b.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/4481136">Crassus results with an LPE that can be achieved by creating a directory off of C:\</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/319/328/635/901/976/original/e1f0e54c4a14ddad.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/319/328/635/901/976/original/e1f0e54c4a14ddad.png</a></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 17-Apr-2025 22:53:56 JST Will Dormann
in reply to
Would changing the ACLs to not allow non-admin users the ability to create directories off of C:\ really have a real-world impact of limiting LPEs?
Absolutely. When you write a tool to look for things (e.g. Crassus), you see things. Heck, I've seen a privileged service attempt to open files in C:\Program%20Files\, which any non-admin Windows user can create by default.
But no, even despite being presented with evidence for how this could fix an entire CLASS of LPEs on Windows, MSRC was not interested.
In conversation14 days ago from infosec.exchangepermalink
Attachments

Public

Embed Notice

HTML Code

Corresponding Notice