CVE-2019-1184
published 2019-08-14CVE-2019-1184: An elevation of privilege vulnerability exists when Windows Core Shell COM Server Registrar improperly handles COM calls. An attacker who successfully…
PriorityP358medium6.7CVSS 3.1
AVLACHPRLUIRSUCHIHAH
EXPLOIT
EPSS
70.23%
99.3th percentile
An elevation of privilege vulnerability exists when Windows Core Shell COM Server Registrar improperly handles COM calls. An attacker who successfully exploited this vulnerability could potentially set certain items to run at a higher level and thereby elevate permissions.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The update addresses this vulnerability by correcting unprotected COM calls.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10_version_1803 | >= 10.0.0 < publication | publication |
| microsoft | windows_10_version_1809 | >= 10.0.0 < publication | publication |
| microsoft | windows_10_version_1903_for_32-bit_systems | >= 10.0.0 < publication | publication |
| microsoft | windows_10_version_1903_for_arm64-based_systems | >= 10.0.0 < publication | publication |
| microsoft | windows_10_version_1903_for_x64-based_systems | >= 10.0.0 < publication | publication |
| microsoft | windows_server_2016 | — | — |
| microsoft | windows_server_2016 | — | — |
| microsoft | windows_server_2019 | >= 10.0.0 < publication | publication |
| msrc | windows_10_version_1803_for_32-bit_systems | — | — |
| msrc | windows_10_version_1803_for_arm64-based_systems | — | — |
| msrc | windows_10_version_1803_for_x64-based_systems | — | — |
| msrc | windows_10_version_1809_for_32-bit_systems | — | — |
| msrc | windows_10_version_1809_for_arm64-based_systems | — | — |
| msrc | windows_10_version_1809_for_x64-based_systems | — | — |
| msrc | windows_10_version_1903_for_32-bit_systems | — | — |
| msrc | windows_10_version_1903_for_arm64-based_systems | — | — |
| msrc | windows_10_version_1903_for_x64-based_systems | — | — |
| msrc | windows_server_2019 | — | — |
| msrc | windows_server_version_1803 | — | — |
| msrc | windows_server_version_1903 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for low-integrity processes activating the CoreShellCOMServerRegistrar COM class (CLSID 54E14197-88B0-442F-B9A3-86837061E2FB) via CLSCTX_LOCAL_SERVER, which should only be done by sihost.exe. ↗
- →Detect calls to OpenProcess and DuplicateHandle COM methods on CoreShellCOMServerRegistrar from low-integrity processes; these are the primary exploit primitives used to escalate from low to medium integrity. ↗
- →Detect VirtualAllocEx with PAGE_EXECUTE_READWRITE followed by WriteProcessMemory and CreateRemoteThread targeting sihost.exe from a process at low integrity — this is the shellcode injection pattern used by the public exploit. ↗
- ·The August 2019 patch loosened the DACL (replacing capability SIDs with ALL APPLICATION PACKAGES) and added manual capability checks in code; the October 2019 patch reversed this and instead tightened the LaunchPermission SACL from Low (LW) to Medium integrity label. Detection logic should account for both patch states. ↗
- ·The exploit requires an interactive user session because sihost.exe (the COM server) is only launched when a user logs on interactively; the attack surface does not exist on headless/server sessions without an interactive logon. ↗
CVSS provenance
nvdv3.16.7MEDIUMCVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vendor_msrc6.7MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5xj6-qhjx-f6xh: An elevation of privilege vulnerability exists in the way that the wcmsvc
ghsa_unreviewed·2022-05-24·CVSS 7.0
CVE-2019-1180 [HIGH] GHSA-5xj6-qhjx-f6xh: An elevation of privilege vulnerability exists in the way that the wcmsvc
An elevation of privilege vulnerability exists in the way that the wcmsvc.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1173, CVE-2019-1174, CVE-2019-1175, CVE-2019-1177, CVE-2019-1178, CVE-2019-1179, CVE-2019-1184, CVE-2019-1186.
GHSA
GHSA-82mq-2jww-m58g: An elevation of privilege vulnerability exists in the way that the unistore
ghsa_unreviewed·2022-05-24·CVSS 7.0
CVE-2019-1179 [HIGH] GHSA-82mq-2jww-m58g: An elevation of privilege vulnerability exists in the way that the unistore
An elevation of privilege vulnerability exists in the way that the unistore.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1173, CVE-2019-1174, CVE-2019-1175, CVE-2019-1177, CVE-2019-1178, CVE-2019-1180, CVE-2019-1184, CVE-2019-1186.
GHSA
GHSA-f245-h455-7hqv: An elevation of privilege vulnerability exists in the way that the PsmServiceExtHost
ghsa_unreviewed·2022-05-24·CVSS 7.0
CVE-2019-1173 [HIGH] GHSA-f245-h455-7hqv: An elevation of privilege vulnerability exists in the way that the PsmServiceExtHost
An elevation of privilege vulnerability exists in the way that the PsmServiceExtHost.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1174, CVE-2019-1175, CVE-2019-1177, CVE-2019-1178, CVE-2019-1179, CVE-2019-1180, CVE-2019-1184, CVE-2019-1186.
GHSA
GHSA-vfjm-94qj-mfgw: An elevation of privilege vulnerability exists in the way that the ssdpsrv
ghsa_unreviewed·2022-05-24·CVSS 7.0
CVE-2019-1178 [HIGH] GHSA-vfjm-94qj-mfgw: An elevation of privilege vulnerability exists in the way that the ssdpsrv
An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1173, CVE-2019-1174, CVE-2019-1175, CVE-2019-1177, CVE-2019-1179, CVE-2019-1180, CVE-2019-1184, CVE-2019-1186.
GHSA
GHSA-5fw3-2234-g822: An elevation of privilege vulnerability exists in the way that the psmsrv
ghsa_unreviewed·2022-05-24·CVSS 7.0
CVE-2019-1175 [HIGH] CWE-269 GHSA-5fw3-2234-g822: An elevation of privilege vulnerability exists in the way that the psmsrv
An elevation of privilege vulnerability exists in the way that the psmsrv.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1173, CVE-2019-1174, CVE-2019-1177, CVE-2019-1178, CVE-2019-1179, CVE-2019-1180, CVE-2019-1184, CVE-2019-1186.
GHSA
GHSA-xr5g-7pxf-gp8f: An elevation of privilege vulnerability exists in the way that the rpcss
ghsa_unreviewed·2022-05-24·CVSS 7.0
CVE-2019-1177 [HIGH] CWE-269 GHSA-xr5g-7pxf-gp8f: An elevation of privilege vulnerability exists in the way that the rpcss
An elevation of privilege vulnerability exists in the way that the rpcss.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1173, CVE-2019-1174, CVE-2019-1175, CVE-2019-1178, CVE-2019-1179, CVE-2019-1180, CVE-2019-1184, CVE-2019-1186.
GHSA
GHSA-hxfv-8253-2p76: An elevation of privilege vulnerability exists in the way that the wcmsvc
ghsa_unreviewed·2022-05-24·CVSS 7.0
CVE-2019-1186 [HIGH] GHSA-hxfv-8253-2p76: An elevation of privilege vulnerability exists in the way that the wcmsvc
An elevation of privilege vulnerability exists in the way that the wcmsvc.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1173, CVE-2019-1174, CVE-2019-1175, CVE-2019-1177, CVE-2019-1178, CVE-2019-1179, CVE-2019-1180, CVE-2019-1184.
GHSA
GHSA-24jg-p7g4-p8rm: An elevation of privilege vulnerability exists when Windows Core Shell COM Server Registrar improperly handles COM calls, aka 'Windows Elevation of Pr
ghsa_unreviewed·2022-05-24·CVSS 7.0
CVE-2019-1184 [HIGH] GHSA-24jg-p7g4-p8rm: An elevation of privilege vulnerability exists when Windows Core Shell COM Server Registrar improperly handles COM calls, aka 'Windows Elevation of Pr
An elevation of privilege vulnerability exists when Windows Core Shell COM Server Registrar improperly handles COM calls, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1173, CVE-2019-1174, CVE-2019-1175, CVE-2019-1177, CVE-2019-1178, CVE-2019-1179, CVE-2019-1180, CVE-2019-1186.
GHSA
GHSA-9qcm-3p54-9cgq: An elevation of privilege vulnerability exists in the way that the PsmServiceExtHost
ghsa_unreviewed·2022-05-24·CVSS 7.0
CVE-2019-1174 [HIGH] CWE-1257 GHSA-9qcm-3p54-9cgq: An elevation of privilege vulnerability exists in the way that the PsmServiceExtHost
An elevation of privilege vulnerability exists in the way that the PsmServiceExtHost.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1173, CVE-2019-1175, CVE-2019-1177, CVE-2019-1178, CVE-2019-1179, CVE-2019-1180, CVE-2019-1184, CVE-2019-1186.
Microsoft
Windows Elevation of Privilege Vulnerability
vendor_msrc·2019-08-13·CVSS 6.7
CVE-2019-1184 [MEDIUM] Windows Elevation of Privilege Vulnerability
Windows Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when Windows Core Shell COM Server Registrar improperly handles COM calls. An attacker who successfully exploited this vulnerability could potentially set certain items to run at a higher level and thereby elevate permissions.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The update addresses this vulnerability by correcting unprotected COM calls.
Windows Shell: Windows Shell
Microsoft: Microsoft
Impact: Elevation of Privilege
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitat
No detection rules found.
Trendmicro
Privilege Escalation Via the Core Shell COM Registrar Object
blogs_trendmicro·2019-12-20·CVSS 6.7
CVE-2019-1184 [MEDIUM] Privilege Escalation Via the Core Shell COM Registrar Object
## Privilege Escalation Via the Core Shell COM Registrar Object
This post goes over privilege escalation via the core shell COM registrar object.
By: Simon Zuckerbraun 2019/12/20 Read time: ( words)
Save to Folio
This final post in our series on interesting vulnerabilities from 2019 highlights an elegant local escalation of privilege (LPE) bug affecting Windows 10. It was submitted to us by an anonymous researcher and has the identifier CVE-2019-1184 . Exploiting this vulnerability allows a sandboxed process running at low integrity to execute arbitrary code at medium integrity.
The COM Object and its Launch Permission
This vulnerability centers around a COM class named CoreShellCOMServerRegistrar. An entry for this object appears in the Registry under HKCR\CLSID, specifying an in-pr
Trendmicro
Privilege Escalation Via the Core Shell COM Registrar Object
blogs_trendmicro·2019-12-20·CVSS 6.7
CVE-2019-1184 [MEDIUM] Privilege Escalation Via the Core Shell COM Registrar Object
# Privilege Escalation Via the Core Shell COM Registrar Object
This post goes over privilege escalation via the core shell COM registrar object.
By: Simon Zuckerbraun
2019/12/20
Read time: ( words)
Save to Folio
This final post in our series on interesting vulnerabilities from 2019 highlights an elegant local escalation of privilege (LPE) bug affecting Windows 10. It was submitted to us by an anonymous researcher and has the identifier CVE-2019-1184. Exploiting this vulnerability allows a sandboxed process running at low integrity to execute arbitrary code at medium integrity.
The COM Object and its Launch Permission
This vulnerability centers around a COM class named CoreShellCOMServerRegistrar. An entry for this object appears in the Registry under HKCR\CLSID, specifying an in-pro
Talos
Microsoft Patch Tuesday — Aug. 2019: Vulnerability disclosures and Snort coverage
blogs_talos·2019-08-13·CVSS 9.1
[CRITICAL] Microsoft Patch Tuesday — Aug. 2019: Vulnerability disclosures and Snort coverage
Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 97 vulnerabilities, 31 of which are rated “critical," 65 that are considered "important" and one "moderate."
This month’s security update covers security issues in a variety of Microsoft services and software, including certain graphics components, Outlook and the Chakra Scripting Engine. For more on our coverage of these bugs, check out our Snort advisories here, covering all of the new rules we have for this release.
### Critical vulnerabilities Microsoft disclosed 31 critical vulnerabilities this month, three of which we will highlight below.
CVE-2019-1181 and CVE-2019-1182 are both remote code execution vulnerabilities in Remote De
Talos
Microsoft Patch Tuesday — Aug. 2019: Vulnerability disclosures and Snort coverage
blogs_talos·2019-08-13·CVSS 9.8
[CRITICAL] Microsoft Patch Tuesday — Aug. 2019: Vulnerability disclosures and Snort coverage
## Microsoft Patch Tuesday — Aug. 2019: Vulnerability disclosures and Snort coverage
Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 97 vulnerabilities, 31 of which are rated “critical," 65 that are considered "important" and one "moderate."
This month’s security update covers security issues in a variety of Microsoft services and software, including certain graphics components, Outlook and the Chakra Scripting Engine. For more on our coverage of these bugs, check out our Snort advisories here , covering all of the new rules we have for this release.
## Critical vulnerabilities Microsoft disclosed 31 critical vulnerabilities this month, three of which we will highlight below.
CVE-2
Zscaler
Zscaler found Multiple Security Vulnerabilities | 08-14-2019
blogs_zscaler·CVSS 4.2
[MEDIUM] Zscaler found Multiple Security Vulnerabilities | 08-14-2019
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
2019-08-14
Published