This one is a bit of a cross-user attack on the same machine, as `git` when executed in a directory that doesn't have a `.git` folder, will traverse upward looking for the `.git/` of the repo.The problem is if one accidentally invokes `git` while not in a repository it'll look in some potentially untrusted locations as it traverses by defualt all the way to the root of the storage...
Two issues, one being a race condition between validating a configuration is safe and using the configuration, the second an information disclosure where a user's Net-NTLMv2 hash could be disclosed.
Slight race-condition in the Pritunl VPN client leading to a semi-controlled file-write as SYSTEM which could be leveraged into code execution as SYSTEM.
Multiple bugs in Carbon Black and vRealize Operations Manager, authentication bypassing through proxy trickery, server-side request forgery, credential leaking, and ultimately RCE.
Little Snitch might block connections to some IPs, but only if they send data. Just opening the connection but not sending data is a fun way to get around the blacklist, and while significantly slower, one can still exfiltrate information using only a data-less connection.
The gist of this is that an attack can use their own Time-based One-Time-Password (TOTP) code on another user's account.
Rocket.Chat will open links to the same domain within the main application window, with the abilitry to upload files an attacker can run Javascript and gain RCE (thanks to `nodeIntegration` being enabled).
There is an argument injection within the `ms-officemd` URI scheme (available by default on WIndows 10 and 11) used by MS Office applications to launch other Office apps. By targeting the MS Teams Electron application one could leverage the `--gpu-launcher` argument for arbitrary command injection without any hassle.
Multiple bugs within the Microsoft RDP Client (Server being the attacker) found through fuzzing. None covered at this time are very impactful but there is some background in Virtual Channels within RDP and experieince getting a fuzzing envrionment setup that might be of value.
It is possible to bypass macOS's System Integrity Protection (SIP) through the `system_installd` daemon. This daemon has the `com.apple.rootless.install.heritable` entitlement which means that any process started by the daemon will not be protected by SIP.