Category Archives: privilege escalation

Adobe December Patch Tuesday Fixed 38 Critical Vulnerabilities In Adobe Reader And Acrobat DC

Adobe has patched a number of security vulnerabilities on the last scheduled monthly update of this year. All these patches

Adobe December Patch Tuesday Fixed 38 Critical Vulnerabilities In Adobe Reader And Acrobat DC on Latest Hacking News.

Zero-Day Flash Player Vulnerability Fixed After Being Exploited In the Wild

Adobe has once again patched a serious flaw in the Flash Player that has been exploited in the wild. This

Zero-Day Flash Player Vulnerability Fixed After Being Exploited In the Wild on Latest Hacking News.

Warning! Unprivileged Linux Users With UID > INT_MAX Can Execute Any Command

Hold tight, this may blow your mind… A low-privileged user account on most Linux operating systems with UID value anything greater than 2147483647 can execute any systemctl command unauthorizedly—thanks to a newly discovered vulnerability. The reported vulnerability actually resides in PolicyKit (also known as polkit)—an application-level toolkit for Unix-like operating systems that defines

IBM Db2 Vulnerabilities Left IBM Database Installations At Risk Of Hacks

IBM patched a couple of serious vulnerabilities in the previous week in their Db2 database installations. These IBM Db2 vulnerabilities

IBM Db2 Vulnerabilities Left IBM Database Installations At Risk Of Hacks on Latest Hacking News.

Webex Meetings Desktop App Vulnerability Existed Even After Patch

Last month, Cisco patched a command injection vulnerability in its Webex Meeting App. The vulnerability could allow arbitrary command execution

Webex Meetings Desktop App Vulnerability Existed Even After Patch on Latest Hacking News.

Nuclear Pack loads a fileless CVE-2014-4113 Exploit



Yesterday's Nymaim spam campaign was also redirecting to Nuclear Pack.
Without big surprise the sample ( 592899e0eb3c06fb9fda59d03e4b5b53 ) dropped by Nuclear is the same as the fake update proposed.

But there was an additionnal 11kb payload call for which i could not find sample on drive

Nuclear Pack dropping Nymaim in the 2015-11-30 Spam Campaign
It was also unusually encoded with two XOR pass and first part of the decoded stream is a Shellcode.

Friends (who don't want to be mentioned) figured a privilege escalation was in use there :

According to Kaspersky and Timo Hirvonen (F-Secure) it's CVE-2014-4113 ( Win32k.sys Elevation of Privilege Vulnerability )

I did not got to see the privilege escalation in live condition.

Note: it's not the first time a public Exploit Kit is integrating an exploit to escalates right on dropped payload (Cf CVE-2015-2426 in Magnitude )

Files : Fiddler and Dll here (password is malware - XOR key : 56774347426F664767  then  213404052d09212031)
Thanks : Kaspersky,  Timo Hirvonen , Malc0de and 2 other friends for taking some time and use their wizardness  on this.

Read More :
An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113) - 2014-10-29 - TrendMicro