Will Dormann on Nostr: This SnapAttack writeup on CVE-2024-30051 is pretty neat: ...
This SnapAttack writeup on CVE-2024-30051 is pretty neat: https://blog.snapattack.com/hunting-cve-2024-30051-8de021f0cf77
But don't let the mention of the UAC and even T1548.002 suggest that it's merely a UAC bypass. This allows going from non-admin to SYSTEM.
This is in no way a UAC bypass. The UAC's consent.exe is merely a mule to get the user-provided payload DLL to execute with SYSTEM privileges (by way of dwm.exe).
But don't let the mention of the UAC and even T1548.002 suggest that it's merely a UAC bypass. This allows going from non-admin to SYSTEM.
This is in no way a UAC bypass. The UAC's consent.exe is merely a mule to get the user-provided payload DLL to execute with SYSTEM privileges (by way of dwm.exe).