The C:\Windows\Temp directory may seem like a safe place to store temporary data, but it has a few quirks that not all developers are aware of. For code running with high privileges, like Windows services, it becomes an attack surface. For attackers it is the gift that keeps on giving by exposing products to privilege escalation vulnerabilities. The talk covers (now fixed) privilege escalation vulnerabilities in Snow Inventory Agent for Windows (CVE-2018-17778) and F5 BigIP Edge Client for Windows (CVE-2021-23022). They share a common theme in that they both use C:\Windows\Temp in an insecure way
Presented at Security Fest 2023.
Speaker: Jonas VestbergJonas is a senior security consultant at Sentor since 2013, securing the world one reverse shell at a time. Enjoys coffee, coding, bypassing EDRs, Windows privilege escalation bugs and getting Domain Admin.