PolyWolf on Security

Windows Kernel Exploit Resources

Posted on 2022-07-31: https://twitter.com/alexjplaskett/status/1553738346391822336

@alexjplaskett:

๐Ÿ”ฅ Like Windows Kernel exploitation? Your in luck! 10 items of Windows kernel exploit research from 2020/2021 ๐Ÿงต

๐Ÿ”ฅ 1/ https://sstic.org/media/SSTIC2020/SSTIC-actes/pool_overflow_exploitation_since_windows_10_19h1/SSTIC2020-Article-pool_overflow_exploitation_since_windows_10_19h1-bayet_fariello.pdf by @OnlyTheDuck @paulfariello - The most complete and recent overview of the Windows Kernel Segment Heap from an exploitation perspective.

๐Ÿ”ฅ 2/ https://research.nccgroup.com/2021/07/15/cve-2021-31956-exploiting-the-windows-kernel-ntfs-with-wnf-part-1/ https://research.nccgroup.com/2021/08/17/cve-2021-31956-exploiting-the-windows-kernel-ntfs-with-wnf-part-2/ - Two articles I wrote on what I assumed was a similar WNF technique seen in the wild to understand how this subsystem could have been abused and the vuln (based on an article by @oct0xor / @craiu etc https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/

๐Ÿ”ฅ 3/ https://blog.exodusintel.com/2022/03/10/exploiting-a-use-after-free-in-windows-common-logging-file-system-clfs/ by @AravGarg3 - A use-after-free in clfs.sys, then uses a similar WNF technique as explained in the previous tweet to enable better primitives and techniques mentioned in Scoop the Windows 10 Pool to perform heap grooming. Data only attack escalation

๐Ÿ”ฅ 4/ https://windows-internals.com/one-i-o-ring-to-rule-them-all-a-full-read-write-exploit-primitive-on-windows-11/ by @yarden_shafir - A novel post exploitation primitive unique to Windows 11 22H2+ which can turn an arbitrary write/inc into full read and write of kernel memory by abusing I/O Ring and its operations. A POC was also released

๐Ÿ”ฅ 5/ https://msrndcdn360.blob.core.windows.net/bluehat/bluehatil/2022/assets/doc/Smash%20The%20Ref%20-%20A%20Design%20Flaw%20in%20Windows%20Kernel__Gil%20Dabah.pdf Smash the Ref by @_arkon - Win32k has been a huge source of kernel bugs over the years. This talk goes into more than 15 bugs @_arkon found and the novel bug class, attack techniques and mitigation by MSFT.

๐Ÿ”ฅ 6/ https://msrc-blog.microsoft.com/2022/03/22/exploring-a-new-class-oeventuallyf-kernel-exploit-primitive/ by @arudd1ck - Investigates the bug class of arbitrary kernel pointer read (i.e. pointers read from attacker controlled input do not point to userspace). Investigates the true impact (i.e. DOS or second order info leak only?) or code exec / LPE

๐Ÿ”ฅ 7/ https://connormcgarr.github.io/hvci/ HCVI aims to mitigate an attacker being able too execute unsigned code within the Windows Kernel. @33y0re looks how HVCI affects a typical kernel exploit and shows a way which with arb read/write can call kernel functions without triggering HVCI/kCFG

๐Ÿ”ฅ 8/ https://googleprojectzero.blogspot.com/2021/01/windows-exploitation-tricks-trapping.html https://googleprojectzero.blogspot.com/2021/01/hunting-for-bugs-in-windows-mini-filter.html @tiraniddo drops a ton of knowledge within all his posts. In these two a trick to trap access to virtual memory which could be used exploiting certain types of bugs and another on hunting for bugs within Mini-Filter drivers.

๐Ÿ”ฅ 9/ https://googleprojectzero.blogspot.com/2021/01/in-wild-series-windows-exploits.html by @j00ru and Sergei Glazunov. Actually looking at what Windows vulns are being exploited within the wild (in this case font bugs and CSRSS bug analysis) provides defenders with insights on where to focus their mitigation and detection efforts.

๐Ÿ”ฅ 10/ https://msrc-blog.microsoft.com/2022/04/05/randomizing-the-kuser_shared_data-structure-on-windows/ by @rohitwas on finishing off KASLR where previously KUSER_SHARED_DATA was always mapped at a fixed page of memory within the kernel. The post shows strengthening KASLR in Windows by mitigating the last remaining blind-write target RCE could use

โ€ฆ I should really get around to reading these eventually