Entries by Kyriakos Economou

CVE-2019-9702: Symantec Encryption Desktop Local Privilege Escalation – Exploiting an Arbitrary Hard Disk Read/Write Vulnerability Over NTFS

Note: These vulnerabilities remain unpatched at the point of publication.  We have been working with Symantec to try and help them to fix this since our initial private disclosure in July 2017 (full timeline at the end of this article), however no patch has yet been released.  Consequently, we are at the point of publishing […]

Carbon Black – Security Advisories: CVE-2016-9570, CVE-2016-9568 and CVE-2016-9569

Nettitude have discovered three vulnerabilities in Carbon Black; CVE-2016-9570, CVE-2016-9568 and CVE-2016-9569. Two of these have been patched at the time of writing. CVE-2016-9570 Module: cb.exe (SRC-149) Version: 5.1.1.60603 Bug Type: Read-Out-Of-Bounds Impact: DoS Prerequisites: Hijack NetMon Pipe Severity: Medium Status: Remediated Note: The following technical details are taken from the x86 build of the Carbon Black […]

Analysing the NULL SecurityDescriptor kernel exploitation mitigation in the latest Windows 10 v1607 Build 14393

We recently discovered a new and quietly released Windows kernel exploitation defence. Exploiting a kernel bug by setting the pointer to the SecurityDescriptor to NULL in the header of a process object running as SYSTEM won’t work from Windows 10 v1607 (Build 14393).  If you want to know why, keep reading.

From macro to malware – a step by step analysis

We recently received an email which contained a malicious Word macro. Usually, the only thing that changes between malicious Office macros is the obfuscation that is used; e.g. changing variable names and splitting text strings. This one was different. We decided to analyse the payload and before we knew it, we were deep down the rabbit hole!