James Forshaw :donor: on Nostr: Damn, I really thought the Recall database security would at least be, you know, ...
Damn, I really thought the Recall database security would at least be, you know, secure. Turns out Microsoft did pretty much what I blogged about for WindowsApps, except you need to find a specific WIN://SYSAPPID instead. So to bypass the security just get the token for the AIXHost.exe process, then impersonate that and you can access the database, no admin required. Or, as the files are owned by the user, just grant yourself access using icacls etc :D
Published at
2024-06-05 21:05:23Event JSON
{
"id": "8944261f309c7c738f2cba3ce22c77e1a2f13a632c530bf9fbb99c25fdea6de1",
"pubkey": "e98881dc17522381a12a51600c0c54bb25e1b9692644d94f0328cfb2184cb0f0",
"created_at": 1717621523,
"kind": 1,
"tags": [
[
"proxy",
"https://infosec.exchange/users/tiraniddo/statuses/112566044174482506",
"activitypub"
]
],
"content": "Damn, I really thought the Recall database security would at least be, you know, secure. Turns out Microsoft did pretty much what I blogged about for WindowsApps, except you need to find a specific WIN://SYSAPPID instead. So to bypass the security just get the token for the AIXHost.exe process, then impersonate that and you can access the database, no admin required. Or, as the files are owned by the user, just grant yourself access using icacls etc :D",
"sig": "364393882b0b6b22c32cd01d9cbedda84113872ea5629b760effc3e832e646eb96c810ad5320bdd9132a1ab00fcca0deedb74d1cdc3b51a2084ad078d297b5ee"
}
