Estimated to have infected 7,000 systems, the botnet uses a mass-compromise pipeline, deploying various scanners and malware.
The post New ‘SSHStalker’ Linux Botnet Uses Old Techniques appeared first on SecurityWeek.
SecurityWeek – Read More
Traditional business telephone lines won’t cut it for today’s consumers. These VoIP providers will propel your business communication methods into the modern age.
Latest news – Read More
Last year we wrote about a Windows 11 vulnerability that allowed a regular user to gain administrative privileges (see 300 Milliseconds to Admin: Mastering DLL Hijacking and Hooking to Win the Race (CVE-2025-24076 and CVE-2025-24994)). Not long after, Manuel Kiesel from Cyllective AG reached out to us after stumbling across a seemingly similar issue while investigating the Lenovo Vantage application. He asked for some Windows related help, which proved to be trickier than expected. It turns out that the exploit primitive for arbitrary file deletion to gain SYSTEM privileges no longer works on current Windows machines. However, adapting the code provided by Trend Micro’s ZDI still allowed us to use folders to exploit the vulnerability.
Lenovo Vantage is an application provided by Lenovo that helps to manage computer hardware, including system updates and drivers. It offers various add-ons, such as a system cleanup task that removes unnecessary files. The application is available on the Windows Store and can be downloaded by any regular user.
By the time Manuel contacted us, most of the analysis of Lenovo Vantage had already been completed, and he had identified a potential vulnerability in the software’s file cleanup functionality. You can read about this on Cyllective’s blog. It boils down to the fact that the application, which runs as SYSTEM, deletes a directory that can be modified by a regular user:
private static bool CleanFiles() {
...
DeleteDirectory(Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.Windows), "Temp"), false);
...In 2021, Abdelhamid Naceri demonstrated a technique showing how the deletion of user writable folder contents by an elevated account can lead to code execution with elevated privileges. We have abused this issue in the past, including in this case where we used the primitive to gain administrative privileges through a Lenovo vulnerability, tracked as CVE-2022-4569 and described in the Compass’ blog – Lenovo Update Your Privileges.
However, when we tried to use the tool provided by ZDI, we were unable to leverage the recursive file deletion primitive to gain SYSTEM privileges. After some investigation, it became clear that the INDEX_ALLOCATION trick no longer works on a fully up to date Windows 11 system, as also noted by Filip Dragovic:
As ZDI explained in their well written blog post, it was possible to abuse the MSI install rollback feature to turn an arbitrary folder deletion into a privilege escalation. Since this approach only works when a directory can be deleted, they expanded the attack surface and showed how the same idea can also be exploited when only arbitrary file deletion is available. The key insight was to transform a file deletion (DeleteFileA) into a folder deletion by redirecting the call to the directory metadata attribute ($INDEX_ALLOCATION).
As you can see here, when we run the following snippet in PowerShell on a fully up to date Windows 11 system such as 24H2, the INDEX_ALLOCATION trick no longer appears to work:
# From https://x.com/filip_dragovic/status/1881091708039131441
function Invoke-DeleteFileA {
param (
[Parameter(Mandatory)]
[string]$FilePath
)
$signature = @"
[DllImport("kernel32.dll", CharSet = CharSet.Ansi, SetLastError = true)]
public static extern bool DeleteFileA(string lpFileName);
"@
$type = Add-Type -MemberDefinition $signature -Name "Win32Api" -Namespace "Kernel32" -PassThru
$result = $type::DeleteFileA($FilePath)
if ($result) {
Write-Output "File deleted successfully"
} else {
$errorCode = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
Write-Output "Failed to delete file. Error code: $errorCode"
}
}
# Then run the script. The deletion fails.
PS > Invoke-DeleteFileA -FilePath 'C:testfolder::$INDEX_ALLOCATION'
Failed to delete file. Error code: 2As a result, using FolderContentsDeleteToFolderDelete.exe no longer works for arbitrary file deletes, which left us security analysts a bit disappointed (ehm … I mean relieved that this can no longer be abused).
But then shortly after, we realized that we already had an arbitrary folder deletion primitive and did not need to depend on the INDEX_ALLOCATION trick in the first place. With that insight, we adapted the ZDI tool and brought the tool back to life.
In FolderContentsDeleteToFolderDelete.cpp we remove the reference to the INDEX_ALLOCATION on line 27, and on line 118 we open the handle to the directory instead of the file:
Line: FolderContentsDeleteToFolderDelete.cpp
27: symlinkTarget = std::wstring(L"\??\") + symlinkTarget;
118: hf = op.OpenDirectory(exploitFilePath.c_str(), MAXIMUM_ALLOWED, FILE_SHARE_READ | FILE_SHARE_WRITE, CREATE_ALWAYS);After hours of trial and error, we found that the fix was surprisingly small!
After figuring this out, Manuel quickly wrapped the vulnerability trigger into a clean and easy to use proof of concept (PoC) executable. Once the Lenovo Vantage application was installed on the system, we were able to demonstrate that a regular user on Windows 11 could reliably exploit the vulnerability and gain administrative privileges.
Shout out to Lenovo’s PSIRT team for handling the responsible disclosure of the vulnerability well and responding in a timely manner. You can read the Lenovo vulnerability advisory here. This vulnerability has since been mitigated and cannot be exploited anymore.
We especially want to thank Manuel Kiesel from Cyllective AG for reaching out and allowing us to collaborate on a vulnerability! It was a pleasure!
Make sure to also check out the first part on Cyllective’s blog, as it covers the initial discovery and most of the technical details.
Compass Security Blog – Read More
The Netherlands’ Dutch Data Protection Authority (AP) and the Council for the Judiciary confirmed both agencies (Rvdr) have disclosed that their systems were impacted by cyber attacks that exploited the recently disclosed security flaws in Ivanti Endpoint Manager Mobile (EPMM), according to a notice sent to the country’s parliament on Friday.
“On January 29, the National Cyber Security Center (
The Hacker News – Read More
Fortinet has released security updates to address a critical flaw impacting FortiClientEMS that could lead to the execution of arbitrary code on susceptible systems.
The vulnerability, tracked as CVE-2026-21643, has a CVSS rating of 9.1 out of a maximum of 10.0.
“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may
The Hacker News – Read More
The company’s Motion Sketch feature lowers the barrier between abstract imagination and concrete video outputs. But like all generative AI tools, it has its shortcomings.
Latest news – Read More
NFC tags are so useful and customizable, and it’s quite simple to make your own. Here’s what you can do with it and how.
Latest news – Read More
Logitech’s modular Mevo Core is a 4K live-streaming camera with multi-cam support and fantastic image quality.
Latest news – Read More
Post Content
darkreading – Read More
When it comes to Viture, RayNeo, and Xreal, polished spatial tracking beats both raw brightness and future promises.
Latest news – Read More