#Trace: 提权大杀器,上个月就看到新闻 。作者在black hat大会之后把代码公布了。
This new presentation will detail new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions including the brand new Windows 2008 R2 and Windows 7. These new attacks allow to bypass new Windows services protections such as Per service SID, Write restricted token, etc. It will be demonstrated that almost any process with impersonation rights can elevate privileges to Local System account and completely compromise Windows OSs. While the issues are not critical in nature since impersonation rights are required, they allow to exploit services such as IIS 6, IIS 7, SQL Server, etc. in some specific scenarios. Exploits code for those services will be released. The presentation will be given in a very practical way showing how the new issues were found, with what tools, techniques, etc. allowing the participants to learn how to easily find these kind security issues in Windows operating systems.

# Title: Windows NT User Mode to Ring 0 Escalation Vulnerability
# EDB-ID: 11199
# CVE-ID: ( 2010-0232 )
# OSVDB-ID: ()
# Author: Tavis Ormandy
# Published: 2010-01-19
# Verified: yes
# Download Exploit Code
# Download N/A

There is an unbelievable simple local r00t bug in recent FreeBSD versions.
I audited FreeBSD for local r00t bugs a long time *sigh*. Now it pays out.

This summer may have caused a few burden’s on linux administrators. By all the patching necessary to keep their systems out of the hands of those who would choose to exploit it, unless your using something like Ksplice, you’ve more than likely rebooted many times already. Well, here is one more reason to wake this early this morning…

There are a number of privilege escalation attacks known for oracle. These are mainly because by default PL/SQL procedures and functions run with the privilege of the definer and not that of invoker. Think of it like SUID files.

The vulnerability is caused due to the IOCTL handler of the "tmactmon.sys"
driver improperly processing user space parameters. This exploit execute
arbitrary code in kernel space via a specially crafted IOCTL.
 

This will give us an immediate (probably remote) root shell.
This exploit is only verified on a FreeBSD 7.0-RELEASE fresh install
with telnetd enabled. Other version of FreeBSD may also be affected,
OpenBSD and NetBSD where not tested but MAY contain the same bug because
of historic reasons

Multiple Kaspersky Products 'klim5.sys' Local Privilege Escalation Vulnerability