A continually updated list of the 0-days I am responsible for discovering. This is mainly for my own sake in order to keep track of them. I try to keep the order chronologically from newest to oldest

CVE-2020-6012: Local privilege escalation in ZoneAlarm Anti-Ransomware by Check Point

ZoneAlarm Anti-Ransomware program created an opportunity for a local privilege escalation when generating a report of a ransomware attack. An attacker could create a fake ransomware attack, win a race condition, create a symlink and get arbitrary write/overwrite. This became the starting point of later 0-days in ZoneAlarm Anti-Ransomware.

I found it while working for Danish Cyber Defence and posted a blog about it there: CVE-2020-6012: Local Privilege Escalation in ZoneAlarm Anti-Ransomware by Check Point.

CVE-2020-9452: Local privilege escalation in Acronis True Image 2020

Acronis True Image 2020 came with ransomware protection. This ransomware protection process could be exploited to create a local privilege escalation. I found this while working for Danish Cyber Defence. I do not remember the exact details, but I have the report and some screenshots which I will post here: CVE-2020-9452

CVE-2020-9451: DoS in Acronis True Image 2020

Acronis True Image 2020 came with ransomware protection. This ransomware protection process could be killed or turned off. I found this while working for Danish Cyber Defence. It was two separate issues that they decided to merge. I cannot remember the details, but I have the exact report and some screenshots that I sent them which post here: CVE-2020-9451

CVE-2020-9450: Bypass in Acronis True Image 2020

Acronis True Image 2020 came with ransomware protection. This ransomware protection process communicated with the rest of the Acronis True Image program using a locally available REST API which required no authentication. Any unprivileged user could add files and folders to exclusion lists allowing an attacker to freely run their ransomware. I found this while working for Danish Cyber Defence. I cannot remember the details, but I have the exact report and some screenshots that I sent them which post here: CVE-2020-9450

CVE-2020-8948: Local privilege escalation in Sierra Wireless

Sierra Wireless had a SYSTEM service running which copied logs from one folder to an archive folder. Both folders were writable by unprivileged users and could be exploited using a hardlink at the time. This gave the attacker arbitrary file overwrite by SYSTEM which is enough to create a local privilege escalation.

I found it with my friend, who was also my colleague at the time, Simon van Beest while we both worked for Danish Cyber Defence. We wrote a blog post about it: CVE-2020-8948: Local privilege escalation in Sierra Wireless EM7455