Home on Beyond the Security Theater

About

Mon, 01 Jan 0001 00:00:00 +0000

Security theater is the practice of investing in countermeasures intended to provide the feeling of improved security while doing little or nothing to achieve it.

Contributions

Mon, 01 Jan 0001 00:00:00 +0000

Vulnerabilities

CVE-2025-47984 - Microsoft Windows GDI Information Disclosure
CVE-2025-30388 - Microsoft Windows GDI+ Remote Code Execution
CVE-2024-35467 - Asus RT-AC87U WPS Denial of Service
CVE-2024-39149 - NETGEAR R8000 Remote OS Command Injection
CVE-2024-25464 - Asus Download Master Remote OS Command Injection
CVE-2023-5372 - Zyxel NAS Remote Python Code Execution
CVE-2023-4474 - Zyxel NAS Remote OS Command Injection
CVE-2023-4473 - Zyxel NAS Authentication Bypass
CVE-2023-37928 - Zyxel NAS Remote Python Code Execution
CVE-2023-37927 - Zyxel NAS Remote OS Command Injection
CVE-2022-38006 - Microsoft Windows GDI+ Information Disclosure
CVE-2022-35837 - Microsoft Windows GDI+ Information Disclosure
CVE-2022-34728 - Microsoft Windows GDI+ Information Disclosure
CVE-2022-29112 - Microsoft Windows GDI+ Information Disclosure
CVE-2022-26934 - Microsoft Windows GDI+ Information Disclosure
CVE-2022-21915 - Microsoft Windows GDI+ Information Disclosure
CVE-2022-21904 - Microsoft Windows GDI Information Disclosure
CVE-2022-21903 - Microsoft Windows GDI Elevation of Privilege
CVE-2020-13657 - Avast Free Antivirus Elevation of Privilege
CVE-2020-1283 - Microsoft Windows AppInfo Denial of Service
CVE-2020-1123 - Microsoft Windows DiagTrack Denial of Service
CVE-2020-1076 - Microsoft Windows VaultSvc Denial of Service
CVE-2020-12463 - Avira Software Updater Elevation of Privilege
CVE-2020-0899 - Microsoft Visual Studio Elevation of Privilege
CVE-2020-0858 - Microsoft Windows “Account Pictures” Elevation of Privilege
CVE-2020-8094 - Bitdefender Antivirus Free 2020 Elevation of Privilege
CVE-2019-1476 - Microsoft Windows AppXSvc Elevation of Privilege
CVE-2019-1253 - Microsoft Windows AppXSvc Elevation of Privilege
CVE-2014-4643 - Core FTP LE Remote Code Execution
CVE-2013-7260 - RealPlayer Remote Code Execution

Exploits

Metasploit modules

Authentication bypass and multiple injection vulnerabilities in Zyxel's NAS devices

Sun, 20 Apr 2025 11:36:14 +0200

An authentication bypass vulnerability exists in the web management interface of certain Zyxel NAS devices. This flaw allows unauthenticated attackers to remotely perform unauthorized actions on affected systems. Additionally, multiple post-authentication code and command injection vulnerabilities may arise when the devices improperly process user-supplied input. These vulnerabilities enable attackers to execute arbitrary code or commands remotely on impacted devices.

Out-of-bounds read information disclosure vulnerability in Microsoft Windows GDI+ EMR_STRETCHDIBITS record (again)

Sat, 28 May 2022 11:14:00 +0200

An information disclosure vulnerability (CVE-2022-38006) exists when the Windows GDI+ component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

Out-of-bounds read information disclosure vulnerability in Microsoft Windows GDI+ EMR_SETPIXELV record

Fri, 20 May 2022 10:41:00 +0200

An information disclosure vulnerability (CVE-2022-34728) exists when the Windows GDI+ component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

Arbitrary read information disclosure vulnerability in Microsoft Windows GDI+ EMR_STARTDOC record

Mon, 16 May 2022 01:47:00 +0200

An information disclosure vulnerability (CVE-2022-35837) exists when the Windows GDI+ component improperly discloses memory information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

Out-of-bounds read information disclosure vulnerability in Microsoft Windows GDI+ EMR_CREATEDIBPATTERNBRUSHPT record

Wed, 29 Dec 2021 00:18:14 +0200

An information disclosure vulnerability (CVE-2022-26934) exists when the Windows GDI+ component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

Out-of-bounds read information disclosure vulnerability in Microsoft Windows GDI+ EMR_BITBLT record

Fri, 26 Nov 2021 11:36:14 +0200

An information disclosure vulnerability (CVE-2022-29112) exists when the Windows GDI+ component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

Out-of-bounds read information disclosure vulnerability in Microsoft Windows GDI+ EMR_STRETCHDIBITS record

Wed, 29 Sep 2021 16:00:14 +0200

An information disclosure vulnerability (CVE-2022-21915) exists when the Windows GDI+ component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

Out-of-bounds read information disclosure vulnerability in Microsoft Windows GDI+ EMR_SETDIBITSTODEVICE record

Thu, 09 Sep 2021 20:51:00 +0200

An information disclosure vulnerability (CVE-2022-21904) exists when the Windows GDI+ component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

How to mitigate symbolic link attacks on Windows?

Sat, 05 Dec 2020 23:00:14 +0200

TL;DR

SymlinkProtect is a custom minifilter driver for Windows written in C++. It is loaded into the file system driver stack as a filter driver. This allows it to monitor user-mode applications and block malicious attempts to set a reparse point on a directory creating a mount point to some suspicious targets like \RPC Control.

Motivation

Microsoft have recently added hard link mitigation to Windows and they are also actively working on mitigations for other attacks involving file path redirection through junctions or mountpoints. However, in the mean time, symbolic links still present quite a large attack surface. If you are not familiar with the subject, James Forshaw’s (@tiraniddo) blog, presentation and tools are the go-to resources.

NULL pointer dereference in Windows GDI bParseWin32MetaFile

Thu, 23 Jul 2020 16:00:14 +0200

TL;DR

A denial of service vulnerability exists when Windows GDI improperly handles objects in memory. Converting a specially crafted EMF file to a WMF may trigger a read access violation due to a NULL pointer dereference and could allow denial of service.

Description

It seems that calling Metafile::EmfToWmfBits() method on a specially crafted EMF file may lead to memory corruption triggered by bGetNextRecord() called by the bParseWin32Metafile() function. The below is the relevant excerpt of the crash analysis from WinDbg:

Write access violation in Windows GDI DocumentEvent

Sun, 19 Jul 2020 16:00:14 +0200

TL;DR

A denial of service vulnerability exists when Windows GDI improperly handles objects in memory. Processing a specially crafted picture may trigger a write access violation exception when the device context is associated with a printer.

Description

While looking into old vulnerabilities related to GDI+ I have encountered a write access violation similar to CVE-2016-0169 and CVE-2016-0170. Calling PlayEnhMetaFile() with a printer device and a specially crafted EMF file may lead to memory corruption triggered by the PROXYPORT::DocumentEvent() function. The below is the relevant excerpt of the crash analysis from WinDbg:

Arbitrary directory creation in AppInfo

Fri, 03 Apr 2020 11:54:51 +0200

A denial of service (CVE-2020-1283) vulnerability exists when the Application Information (AppInfo) service improperly handles symbolic links resulting in a low privileged user being able to create arbitrary directories.

Arbitrary directory creation in DiagTrack

Sun, 22 Mar 2020 11:54:51 +0200

A denial of service (CVE-2020-1123) vulnerability exists when the Connected User Experiences and Telemetry (DiagTrack) service improperly handles symbolic links resulting in a low privileged user being able to create arbitrary directories.

Untrusted search path in Windows Phone Task Scheduler

Sun, 08 Mar 2020 20:52:18 +0100

An elevation of privilege vulnerability exists when the Windows Phone Task Scheduler (WPTaskScheduler) improperly handles loading of DLL files potentially allowing low privileged users to execute arbitrary code in the context of the local SYSTEM account.

Arbitrary file write in Visual Studio Updater Service

Wed, 05 Feb 2020 22:20:51 +0200

An elevation of privilege vulnerability (CVE-2020-0899) exists when the Visual Studio Update Service improperly handles file hard links and path redirection through junctions or mount points resulting in low privileged users being able to write arbitrary files.

Arbitrary file write in VaultSvc

Sun, 02 Feb 2020 22:27:51 +0100

A denial of service vulnerability (CVE-2020-1076) exists when the Credential Manager (VaultSvc) improperly handles symbolic links resulting in a low privileged user being able to write arbitrary files.

Arbitrary file security descriptor overwrite in Avira Software Updater

Wed, 29 Jan 2020 18:20:46 +0100

An elevation of privilege vulnerability (CVE-2020-12463) exists in Avira Software Updater due to improperly handling file hard links, resulting in a low privileged user being able to take control of an arbitrary file.

PATH directories DLL planting on default Windows installations

Sat, 25 Jan 2020 12:11:48 +0100

A user profile folder added to the PATH directories by default is not protected with administrator ACLs, allowing potential PATH directory DLL planting vulnerabilities.

Arbitrary file security descriptor overwrite in Avast Free Antivirus

Wed, 22 Jan 2020 19:12:04 +0100

An elevation of privilege vulnerability (CVE-2020-13657) exists in Avast Free Antivirus due to improperly handling file hard links, resulting in a low privileged user being able to obtain write access to an arbitrary file.

DLL planting in Bitdefender Antivirus Free 2020

Sat, 18 Jan 2020 20:43:04 +0100

An elevation of privilege vulnerability (CVE-2020-8094) exists in Bitdefender Antivirus Free 2020 due to DLL planting, resulting in low privileged users being able to execute code as SYSTEM via a specially crafted DLL file.

Explorer does not enforce the same-origin policy on local files

Sun, 15 Dec 2019 21:45:21 +0100

By default, Internet Explorer does not enforce the same-origin policy on files in the Local Machine Zone resulting in local files being able to send arbitrary cross-domain requests without preflight and read the response.

Arbitrary file overwrite in AppXSvc

Tue, 10 Dec 2019 11:54:51 +0200

An elevation of privilege vulnerability (CVE-2019-1476) exists when the AppX Deployment Server (AppXSvc) improperly handles file hard links resulting in a low privileged user being able to overwrite an arbitrary file.

Arbitrary file security descriptor overwrite in AppXSvc

Sun, 15 Sep 2019 20:50:51 +0200

An elevation of privilege vulnerability (CVE-2019-1253) exists when the AppX Deployment Server (AppXSvc) improperly handles file hard links resulting in a low privileged user being able to take Full Control of an arbitrary file.

Search

Mon, 01 Jan 0001 00:00:00 +0000