oops, I'm a few days late, but MS finally released a patch for the issue I reported last year - CVE-2025-26684
Defender for Linux can be tricked into executing arbitrary code as root. Writeup: https://astr.al/notes/2024-11-28_mdatp_privesc
some reboosts would be much appreciated <3
It's worth noting that MS is lying about the prerequisites:
> Microsoftβs advisory notes that successful exploitation hinges on an attacker already possessing administrative rights, limiting immediate remote exploitation risks.
This is false. Any unprivileged user can trigger this problem, my proof of concept was tested as uid=99/nobody.
@jsmall I have a feeling they barely ever have humans looking at this process anymore - it took weeks before they even tried to run the fully-reliable proof of concept I included. "[reproducing the issue ...] has proven more difficult than initially anticipated". (read: "we don't have any mdatp test environments available to us" or "the MSRC reviewers are contractors who are the equivalent of level 1 helpdesk techs", take your pick)
Maybe I'm just suspecting malice, but the CVSS score is a lot lower if they mark the vuln as requiring high privileges.
@astraleureka @jsmall I mean I would mark the severity as low because exploiting it depends on the victim having installed a rootkit from Microsoft on their Linux box. π€¦
But props for showing folks what a bad idea this is.
β@astraleureka The lie is even more damning than the "wander the filesystem looking for used needles to inject as root to see what they are" logic.
Even when PoCs are public that's a lot more chasing than being able to use CVEs to assess urgency and presence/absence of mitigations; and not all PoCs are public, at least not until a dangerous amount of time has passed.
Lower scores probably juice somebody's metrics; but they just shove the iceberg closer to the waterline for everyone.
@fuzzyfuzzyfungus The PoC is available in my writeup, it's not a fast process but it is reliable on any version of mdatp from 2021 till this last patch Tuesday. Can easily modify the payload to work around noexec tmp or whatever env-specific problems exist. I would generally imagine that orgs running this would also update frequently, but let's be real, there are probably plenty of stragglers.
I posted too late to get any questions from "the media" so they just interviewed the other guy who reported it in March instead, his PoC just writes a file to test elevation. That's probably not scary enough to get the attention of a lot of folks /shrug
@astraleureka Guess it would help if I actually pasted the link, huh? π€ͺ
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47161
@astraleureka Why do all CVEs these days feel like this one?
I'm expecting something novel or unique but it turns out you can trick this software to run arbitrary code as root because it *checks notes* just runs arbitrary code as root.
I say this not to diminish your investigation (it's cool!), but to rag on Microsoft.
Boooo Microsoft
I cannot imagine any scenario where Iβd consider MS Linux over using actual (non-Microsoft) Linux? π€·π»ββοΈ
ACARS
the vessel of morganna
Joshua Small
Cassandrich
s0 Traingirl Era
π©·π PYNK ππ©·
cR0w 
Koen πΊπ¦
Dan π»
Chris Hessert π§ πΊπ¦
ity
[GARLIC] Lunya 
π§
Marco Ivaldi
sleepy silhouette