Why so Spurious? How a Highly Error-Prone x86/x64 CPU Feature can be Abused to Achieve Local Privilege Escalation on Many Operating Systems

Black Hat USA 2018

Presented by: Nemanja Mulasmajic, Nicolas Peterson
Date: Wednesday August 08, 2018
Time: 16:00 - 16:50
Location: Jasmine Ballroom

There exists a "feature" in the x86 architecture that, due to improper programming by many operating system vendors, can be exploited to achieve local privilege escalation. At the time of discovery, this issue was present on the latest-and-greatest versions of Microsoft Windows, Apple's macOS, and certain distributions of Linux. This issue, very likely, impacts other operating systems on the x86 architecture.

For both Intel and AMD CPUs, this vulnerability can be utilized to reliably and successfully exploit Windows 10 by replacing the access token of the current process with the SYSTEM token from an unprivileged and sandboxed usermode application. This results in local privilege escalation. On AMD hardware, if SMAP/SMEP is disabled, this vulnerability can be exploited without failure since arbitrary user-specified memory can be utilized in CPL 0.

Nemanja Mulasmajic

Nemanja Mulasmajic is an Anti-Cheat Engineer at Riot Games. After starting his career in information security with a brief stint at the Department of Defense, Nemanja, a lifelong gamer, realized that his true passions lied with video games. This caused him to transition from his job at the government into a career in the video gaming industry. Nemanja's first job in the gaming sphere was at Blizzard Entertainment. There he worked on architecting the Anti-Cheat system that protects Overwatch. Now, Nemanja works at Riot Games where he builds new cheat prevention and detection solutions for League of Legends.

Nicolas Peterson

Nick Peterson started his career in reverse-engineering with World of Warcraft at age 15. This kicked off his interest in low level internals and he began a deep dive into the x86 architecture which led him to create a functioning hobby OS by the age of 21. Drawn to the cat and mouse game frequently played between anti-cheat and cheat developers, he continued running subscription based cheat platforms until he was hired into the Anti-Cheat space by ESEA. Today, Nick finds himself doing similar low level work at Riot Games.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats