DATA-ONLY PWNING MICROSOFT WINDOWS KERNEL: EXPLOITATION OF KERNEL POOL OVERFLOWS ON MICROSOFT WINDOWS 8.1

DATA-ONLY PWNING MICROSOFT WINDOWS KERNEL: EXPLOITATION OF KERNEL POOL OVERFLOWS ON MICROSOFT WINDOWS 8.1

Each new version of Windows OS Microsoft enhances security by adding security mitigation mechanisms - Kernel land vulnerabilities are getting more and more valuable these days. For example, the easy way to escape from a sandbox is by using a kernel vulnerability. That's why Microsoft struggles to enhance security of Windows kernel.

Kernel pool allocator plays a significant role in security of whole kernel. Since Windows 7, Microsoft started to enhance the security of the Windows kernel pool allocator. In Windows 8, Microsoft has eliminated almost all reliable (previously published) techniques of exploiting kernel pool corruptions.

Then Microsoft eliminated "0xBAD0B0B0" technique in Windows 8.1, and there is no easy technique to exploit Pool Overflows on Windows 8.1 at the moment.

The brand new exploitation technique uses some tricks to convert pool overflow in several primitives:

  1. Arbitrary memory read/write
  2. Hijack of execution flow
  3. Adjacent read/write

This talk presents a new technique of exploiting pool overflows, with very interesting effect: elevating privileges without executing any kernel shellcode or using ROP.

Presented by