Discover and read the best of Twitter Threads about #PrinterNightmare
Most recents (2)
I’d like to clarify my position on #Microsoft in general
Many things have improved over the last 10 years .. a lot .. especially with Windows 10/2016.
Today many fellow security researchers that I highly respect work there.
I criticize Microsoft’s response to recent ..
Many things have improved over the last 10 years .. a lot .. especially with Windows 10/2016.
Today many fellow security researchers that I highly respect work there.
I criticize Microsoft’s response to recent ..
vulnerabilities (or design flaws) because I care about these things and believe that customers do care too.
I don’t think that it is fair / right to tell them to migrate to the cloud-based solution in order to get rid of these issues.
There are still few but good reasons ..
I don’t think that it is fair / right to tell them to migrate to the cloud-based solution in order to get rid of these issues.
There are still few but good reasons ..
.. not to opt for the cloud.
I strongly believe that weaknesses in default configs that allow an attacker to escalate privs to Domain Admin should be addressed with a KB patch and not just a pointer to an advisory.
Many won’t read it.
I really hope that you continue the ..
I strongly believe that weaknesses in default configs that allow an attacker to escalate privs to Domain Admin should be addressed with a KB patch and not just a pointer to an advisory.
Many won’t read it.
I really hope that you continue the ..
The patched version of spoolsv for #PrinterNightmare is interesting. The call to YIsElevated seems to be an admin check is disguise, basically only admins can open the process token for TOKEN_QUERY, which if fails will return FALSE even if the process token is elevated.
It'll then check if elevation is required from the NoWarningNoElevationOnInstall is enabled. If YIsElevated returns FALSE and YIsElevationRequired returns TRUE then it's based on the result of RunningAsLUA.
This is where the impersonation token is checked. If the caller's token is a Limited token then the result is TRUE. If a Full token it's FALSE. However if it's a Default token (which is what you get as a network token) it's based on the value of elevation.
