MiniPlasma, a Powerful LPE
Researchers have identified two security vulnerabilities, YellowKey and GreenPlasma, affecting Windows systems. YellowKey involves the 'autofstx.exe' binary present in Windows Update and WinRE images, potentially enabling controlled file deletion during updates. GreenPlasma may allow elevation of privilege by writing to protected registry keys, with evidence suggesting the flaw remains unpatched in current Windows 11 versions.
- ▪The YellowKey vulnerability is linked to the 'autofstx.exe' binary, which propagates transaction files across volumes.
- ▪'autofstx.exe' is present in Windows Update and WinRE images, raising concerns that disabling WinRE may not mitigate the issue.
- ▪A technique inspired by a Google Project Zero finding was found to reproduce an elevation of privilege vulnerability in fully patched Windows 11 and Insider Preview systems.
- ▪The GreenPlasma issue could hypothetically allow writing to another user's registry hive, representing a security boundary violation.
- ▪A proof-of-concept for CVE-2020-17103 was uploaded to GitHub after being shared with Google Project Zero.
Opening excerpt (first ~120 words) tap to expand
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512Recently two researchers had interesting discoveries regarding YellowKey and GreenPlasma,The YellowKey is caused by the binary "autofstx.exe" which propagates all present volumes for transaction files, a researcher (unsure if they want to be named) told me that this binary is also present in windows update WinRE images and I think they will definitely have the same vulnerability as well. However, I'm unsure if it's possible to trigger the controlled file deletion when windows is updating.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Blogspot.
Discussion
0 commentsMore from Blogspot
%2520(1).png&w=320)
