C3Subtitles: 35c3: Exploiting Kernel Memory Corruptions on Microsoft Windows 10 RedStone 5
back

Exploiting Kernel Memory Corruptions on Microsoft Windows 10 RedStone 5

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
Not yet available
Language
English
Abstract
This talk is about new challenges in exploiting kernel memory corruptions on brand new Microsoft Windows RedStone 5.

Each new version of Windows OS Microsoft enhances security by adding security mitigation mechanisms - Kernel land vulnerabilities are getting more and more valuable these days. For example, the easy way to escape from a sandbox is by using a kernel vulnerability. That's why Microsoft struggles to enhance security of Windows kernel.

Kernel pool allocator plays a significant role in security of whole kernel. Since Windows 7, Microsoft started to enhance the security of the Windows kernel pool allocator. In Windows 8, Microsoft has eliminated almost all reliable (previously published) techniques of exploiting kernel pool corruptions.

Then Microsoft eliminated "0xBAD0B0B0" technique in Windows 8.1, and there was no easy technique to exploit Pool Overflows on Windows 8.1

Then DKOM/DKOHM technique was present that gave really nice primitives(arbitrary read/write/execute) for kernel exploitation.

Following up Microsoft obfuscated TypeIndex in an object header leaving DKOM/DKOHM technique useless.

But Microsoft left unprotected optional headers that gave born to DKOOHM technique.

Sadly enough, Microsoft introduced brand new Kernel Memory Allocator on Windows 10 RS5 leaving current pool memory manipulation techniques useless.

This talk presents new techniques of exploiting kernel memory corruptions on Windows 10 RS5.

Talk ID
9903
Event:
35c3
Day
1
Room
Dijkstra
Start
8:50 p.m.
Duration
01:00:00
Track
Security
Type of
lecture
Speaker
Nikita Tarakanov

The video is not yet available