oops, I'm a few days late, but MS finally released a patch for the issue I reported last year - CVE-2025-26684
Defender for Linux can be tricked into executing arbitrary code as root. Writeup: https://astr.al/notes/2024-11-28_mdatp_privesc
some reboosts would be much appreciated <3
It's worth noting that MS is lying about the prerequisites:
> Microsoft’s advisory notes that successful exploitation hinges on an attacker already possessing administrative rights, limiting immediate remote exploitation risks.
This is false. Any unprivileged user can trigger this problem, my proof of concept was tested as uid=99/nobody.
@jsmall I have a feeling they barely ever have humans looking at this process anymore - it took weeks before they even tried to run the fully-reliable proof of concept I included. "[reproducing the issue ...] has proven more difficult than initially anticipated". (read: "we don't have any mdatp test environments available to us" or "the MSRC reviewers are contractors who are the equivalent of level 1 helpdesk techs", take your pick)
Maybe I'm just suspecting malice, but the CVSS score is a lot lower if they mark the vuln as requiring high privileges.
@astraleureka @jsmall I mean I would mark the severity as low because exploiting it depends on the victim having installed a rootkit from Microsoft on their Linux box. 🤦
But props for showing folks what a bad idea this is.
the vessel of morganna
Joshua Small
Cassandrich