Scribd
Upload
23 views

proxytokernel

Uploaded by

hellogamingandtechnical
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
23 views

proxytokernel

Uploaded by

hellogamingandtechnical
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 210

Proxying to Kernel :

Streaming vulnerabilities
from the Windows Kernel

Angelboy

[email protected]

HEXACON2024 | 2024.10.05
1
Who am I

• Angelboy (@scwuaptx)
• Senior Security of DEVCORE
• MSRC 2024 MVR Top 100
• Speaker at
• CODE BLUE, HITCON, HITB GSEC
• Master of Pwn of Pwn2Own Toronto 2022

2
Looking at historical vulnerabilities is
indispensable

3
Pwn2Own Vancouver 2024

4
In-the-wild

• Win32k
• GDI (Graphics Device Interface) and UI functions
• Windows drawing, font management …
• Complexity of Code
• It has been a popular target for attackers over the past decade.

5
In-the-wild

• CLFS
• Common Log File System
• Handles log-based transaction processing
• Complexity of Code
• It has been a popular target for attackers over the past six years.

6
In-the-wild

• MSKSSRV
• Microsoft Kernel Streaming Service
• Handles synchronization of multimedia streams
• Very small

7
In-the-wild

• MSKSSRV
• Microsoft Kernel Streaming Service
• Handles synchronization of multimedia streams
• Very small
• Last year it became a very popular target, with 2 ITW exploits in just a
few month.

8
In-the-wild

• Win32k
• CLFS
• MSKSSRV
• …

9
Let's take a look at MSKSSRV

10
MSKSSRV

• CVE-2023-29360 – logical bug (found by @masthoon)


• MmProbeAndLockPages invalid AccessMode
• No check if access mode is KernelMode (0)

11
MSKSSRV

• CVE-2023-29360 – logical bug (found by @masthoon)


• MmProbeAndLockPages invalid AccessMode
• No check if access mode is KernelMode (0)
• Mapping arbitrary kernel memory to user space
• Arbitrary memory writing

12
MSKSSRV

• CVE-2023-36802 – Type Confusion


• No any check for FileObject->FsContext2
• Context Object & Stream Object type confusion

13
MSKSSRV

• CVE-2024-30089 (found by chompie)

14
But is that the end of it ?

15
Actually …

16
MSKSSRV

ksthunk.sys
ks.sys

portcls.sys

mspclock.sys

HdAudio.sys

17
18
19
20
CVE-2024-38054

CVE-2024-30084

CVE-2024-35250

CVE-2024-30090

CVE-2024-38057
21
Brief overview of Kernel Streaming

22
23
What is Kernel Streaming ?

• Microsoft-provided services that support kernel-mode processing of


streamed data
• Low Latency
• Efficient Data Processing
• Unified Interface
• High Extensibility

24
What is kernel streaming ?

• Microsoft provides 3 multimedia class driver models


• Port class
• Audio device
• AVStream
• integrated audio/video streaming
• Stream class

25
How to interact with Device?

26
Enumerate Device

27
Enumerate KS Device

• You can use SetupDiGetClassDevs with class GUID to emulate device

\\?\hdaudio#subfunc_01&ven_8086&dev_2812&nid_0001&subsys
_00000000&rev_1000#6&2f1f346a&0&0002&0000001d#{6994ad
04-93ef-11d0-a3cc-00a0c9223196}\ehdmiouttopo

28
Enumerate KS Device

• KsOpenDefaultDevice
• Opens a handle to the first device that is listed in the specified Plug and
Play (PnP) category

29
KS Object

30
KS Object

• After we open these Devices, Kernel Streaming will establish some Kernel
Streaming related instance
• KS Filter
• KS Pin
• …
• Encapsulate hardware function

31
KS Filter

Filter

Data In Data Out


Node Node
0 1

Filter Factory

https://learn.microsoft.com/en-us/windows-hardware/drivers/audio/audio-filters
32
KS Pin
Source Pin

Filter

Data In Data Out


Node Node
0 1

Filter Factory
Sink Pin

https://learn.microsoft.com/en-us/windows-hardware/drivers/audio/audio-filters
33
KS Property

• A Property represents a capability or control-state setting that belongs to


a kernel streaming object
• Client can set or get property to KS Object with GUID
• Device State
• Data format
• Volume Level

34
KS Property

• Device State is a KS property


• Through IOCTL_KS_PROPERTY to get or set it

35
Kernel Streaming Architecture

36
Kernel Streaming Architecture
Application
User Mode

Kernel Mode
I/O Manager

mskssrv drmk mspclock …

ksthunk.sys Audio Filter AVStream

portcls ks ks.sys

HdAudio usbvideo

KS Filter

37
Kernel Streaming Architecture
Application
User Mode

Kernel Mode
I/O Manager

mskssrv drmk mspclock …

ksthunk.sys Audio Filter AVStream

portcls ks ks.sys

HdAudio usbvideo

KS Filter

38
ksthunk

• Kernel Streaming WOW Thunk Service Driver Wow64

• Entry point of Kernel Streaming


Structure 32
• For backward compatibility
• If the request process is WoW64 ksthunk.sys
• Transfer 32-bits to 64-bit request
Structure 64

KS Filter

39
Kernel Streaming Architecture
Application
User Mode

Kernel Mode
I/O Manager

mskssrv drmk mspclock …

ksthunk.sys Audio Filter AVStream

portcls ks ks.sys

HdAudio usbvideo

KS Filter

40
ks.sys

• Kernel CSA Library


• One of the main components of Kernel Streaming
• Provide interface for Kernel Stream
• Property
• Event
• …

41
The work flow of set pin state
Application
User Mode
IOCTL_KS_PROPERTY Kernel Mode
I/O Manager

mskssrv drmk mspclock …

ksthunk.sys Audio Filter AVStream

portcls ks ks.sys

HdAudio usbvideo

KS Filter

42
The work flow of set pin state
Application
User Mode
IOCTL_KS_PROPERTY Kernel Mode
I/O Manager

mskssrv drmk mspclock …

ksthunk.sys Audio Filter AVStream

portcls ks ks.sys
Convert 32 bit request to 64 bit request …
or pass it down directly
HdAudio usbvideo

KS Filter

43
The work flow of set pin state
Application
User Mode
IOCTL_KS_PROPERTY Kernel Mode
I/O Manager

mskssrv drmk mspclock …

ksthunk.sys Audio Filter AVStream

portcls ks ks.sys

HdAudio usbvideo

KS Filter

44
The work flow of set pin state
Application
User Mode
IOCTL_KS_PROPERTY Kernel Mode
I/O Manager

mskssrv drmk mspclock …

ksthunk.sys Audio Filter AVStream

portcls ks ks.sys

HdAudio usbvideo
KsPropertyHandler

KS Filter

45
The work flow of set pin state
Application
User Mode
IOCTL_KS_PROPERTY Kernel Mode
I/O Manager

mskssrv drmk mspclock …

ksthunk.sys Audio Filter AVStream

portcls ks ks.sys

HdAudio usbvideo
KsPropertyHandler
Look for the property set, item and
the handler
KS Filter

46
The work flow of set pin state
Application
User Mode
IOCTL_KS_PROPERTY Kernel Mode
I/O Manager

mskssrv drmk mspclock …

ksthunk.sys Audio Filter AVStream

portcls ks ks.sys

HdAudio usbvideo
KsPropertyHandler

KS Filter

portcls!PinPropertyDeviceState

47
From attacker's view

48
From attacker's view

• There are many properties for each device


• individual implementation

49
From attacker's view

• There are many properties for each device


• individual implementation
• No vulnerabilities in ks and ksthunk for a long time
• CVE-2020-16889 (found by @nghiadt1098)
• CVE-2020-17045 (found by @nghiadt1098)

50
From attacker's view

• There are many properties for each device


• individual implementation
• No vulnerabilities in ks and ksthunk for a long time
• CVE-2020-16889 (found by @nghiadt1098)
• CVE-2020-17045 (found by @nghiadt1098)
• Each driver handles part of the content individually, which may lead to
inconsistencies.

51
We found some trivial vulnerabilities in few
days …

52
Vulnerabilities

• Portcls.sys
• CVE-2024-38055 (OOB)
• CVE-2024-38056
• Ksthunk
• CVE-2024-38054 (OOB)
• CVE-2024-38057

53
We found some interesting things

54
Is really safe ?

55
Is really safe ?
UserMode(1)

56
The Overlooked Bug Class

57
PreviousMode

• A field in the thread object that indicates whether the parameters for a
System Service Call originated in user mode or kernel mode.

Application
User Mode

Kernel Mode
NtCreateFile kthread->PreviousMode =
UserMode

ZwCreateFile
Device Driver Device Driver
kthread->PreviousMode =
KernelMode

58
IRP RequestorMode

• IRP->RequestorMode
• the execution mode of the original requester of the operation
• A copy of the PreviousMode value from the thread object

59
IRP RequestorMode

60
But there are some issues in some cases …

61
A logical bug class

• Windows Kernel Logic Bug Class: Access Mode Mismatch in IO Manager


by James Forshaw

User Mode Kernel Mode

Application Device Driver ZwOpenFile NtOpenFile

PreviousMode == UserMode

https://googleprojectzero.blogspot.com/2019/03/windows-kernel-logic-bug-class-access.html
62
A logical bug class

• Windows Kernel Logic Bug Class: Access Mode Mismatch in IO Manager


by James Forshaw

User Mode Kernel Mode

Application Device Driver ZwOpenFile NtOpenFile

PreviousMode == UserMode PreviousMode == KernelMode

https://googleprojectzero.blogspot.com/2019/03/windows-kernel-logic-bug-class-access.html
63
A logical bug class

• What happens if kernel call OpenFile and solely relies on RequestorMode


for validation ?

User Mode Kernel Mode


No Access Check

Application Device Driver ZwOpenFile NtOpenFile

PreviousMode == UserMode PreviousMode == KernelMode

https://googleprojectzero.blogspot.com/2019/03/windows-kernel-logic-bug-class-access.html
64
A logical bug class

• What happens if kernel call OpenFile and solely relies on RequestorMode


for validation ?
• Bypass
• Security Access Check
• Memory Access Check

https://googleprojectzero.blogspot.com/2019/03/windows-kernel-logic-bug-class-access.html
65
It focuses on Zw* system service call

66
Are there other potential causes
for this bug class?

67
Are there other potential causes
for this bug class?

68
The Bug Pattern

• IoBuildDeviceIoControlRequest

69
The Bug Pattern

• IoBuildDeviceIoControlRequest

70
The Bug Pattern

• IoBuildDeviceIoControlRequest

Application
User Mode

RequestorMode Kernel Mode


Nt*
= UserMode

Device Driver Device Driver

IoBuildDeviceIoControlRequest

71
The Bug Pattern

• IoBuildDeviceIoControlRequest

Application
User Mode
RequestorMode
Kernel Mode
Nt*
= KernelMode

IofCallDriver
Device Driver Device Driver

IoBuildDeviceIoControlRequest

72
After quick review of this bug pattern in KS

73
74
But …

75
KernelMode
CKsPin::GetState

76
CKsPin::GetState

SerializePropertySet

KernelMode

77
CKsPin::GetState

UnserializePropertySet

KernelMode
SerializePropertySet

78
Look for the bug pattern in KS

1. KsSynchronousIoControlDevice
2. Controllable
• InputBuffer
• OutputBuffer
3. IOCTL relies on RequestorMode for security checks

79
Look for the bug pattern in KS

1. KsSynchronousIoControlDevice
2. Controllable
• InputBuffer
• OutputBuffer

80
Look for the bug pattern in KS

1. KsSynchronousIoControlDevice
2. Controllable
• InputBuffer
• OutputBuffer
3. IOCTL relies on RequestorMode for security checks

81
The Vulnerability & Exploitation

82
83
Unserialize the property set

• KSPROPERTY_TYPE_UNSERIALIZESET
• Interaction with multiple properties with a single call

Property Set

Property 1
Kernel
Application Property 2 Streming

User Mode Kernel Mode

84
UnserializePropertySet

85
UnserializePropertySet

86
UnserializePropertySet

87
UnserializePropertySet

KernelMode

88
UnserializePropertySet

User Control

89
UnserializePropertySet
Application
User Mode
IOCTL_KS_PROPERTY Kernel Mode
I/O Manager

mskssrv drmk mspclock …

ksthunk.sys Audio Filter AVStream

portcls ks ks.sys

HdAudio usbvideo

KS Filter

90
UnserializePropertySet
Application
User Mode
IOCTL_KS_PROPERTY Kernel Mode
RequestorMode
I/O Manager = UserMode

mskssrv drmk mspclock …

ksthunk.sys Audio Filter AVStream

portcls ks ks.sys
Convert 32-bit to 64-bit …
HdAudio usbvideo

KS Filter

91
UnserializePropertySet
Application
User Mode
IOCTL_KS_PROPERTY Kernel Mode
I/O Manager

mskssrv drmk mspclock …

ksthunk.sys Audio Filter AVStream

portcls ks ks.sys

HdAudio usbvideo

KS Filter

92
UnserializePropertySet
Application
User Mode
IOCTL_KS_PROPERTY Kernel Mode
I/O Manager

mskssrv drmk mspclock …

ksthunk.sys Audio Filter AVStream

portcls ks ks.sys

HdAudio usbvideo
KsPropertyHandler

KS Filter

93
UnserializePropertySet
Application
User Mode
IOCTL_KS_PROPERTY Kernel Mode
I/O Manager

mskssrv drmk mspclock …

ksthunk.sys Audio Filter AVStream

portcls ks ks.sys

HdAudio usbvideo
KsPropertyHandler

If this property set exists,


call UnserializePropertySet
KS Filter

94
UnserializePropertySet
Application
User Mode
IOCTL_KS_PROPERTY Kernel Mode
I/O Manager

mskssrv drmk mspclock …

ksthunk.sys Audio Filter AVStream

portcls ks ks.sys

HdAudio usbvideo

KS Filter KsSynchronousIoControlDevice

95
UnserializePropertySet
Application
User Mode
IOCTL_KS_PROPERTY Kernel Mode
RequestorMode
I/O Manager = KernelMode

mskssrv drmk mspclock …

ksthunk.sys Audio Filter AVStream

portcls ks ks.sys

HdAudio usbvideo

KS Filter KsSynchronousIoControlDevice

96
We can do arbitrary IOCTL_KS_PROPERTY with
KernelMode now

97
We need to find a target to EoP

98
UnserializePropertySet
Application
User Mode
IOCTL_KS_PROPERTY Kernel Mode
I/O Manager

mskssrv drmk mspclock …

ksthunk.sys Audio Filter AVStream

portcls ks ks.sys

HdAudio usbvideo

KS Filter

KsSynchronousIoControlDevice

99
ksthunk!DispatchIoctl

100
ksthunk!DispatchIoctl

101
ksthunk!DispatchIoctl

RequestorMode == KernelMode (0)

102
ksthunk!DispatchIoctl

103
ksthunk!DispatchIoctl

104
UnserializePropertySet
Application
User Mode
IOCTL_KS_PROPERTY Kernel Mode
I/O Manager

mskssrv drmk mspclock …

ksthunk.sys Audio Filter AVStream

portcls ks ks.sys

HdAudio usbvideo

KS Filter

KsSynchronousIoControlDevice

105
ksthunk!DispatchIoctl

106
We have an arbitrary call with one argument now

107
Exploitation

108
Mitigation on Win11

• kCFG
• kASLR
• SMEP
• …

109
Mitigation on Win11

• kCFG
• kASLR
• NtQuerySystemInformation
• SMEP
• Reuse Kernel Code
• …

110
Bypass kCFG

• Find a valid function in Windows Kernel


• Our goal is turn arbitrary call to arbitrary memory write

111
Bypass kCFG

• Find a valid function in Windows Kernel


• Our goal is turn arbitrary call to arbitrary memory write
• Search *Set* function export from ntoskrnl.exe

112
Bypass kCFG

113
Two hours later …

114
Bypass kCFG

115
Bypass kCFG

• RtlSetAllBits
• The RtlSetAllBits routine sets all bits in a given bitmap variable.

116
We can set all bits in arbitrary memory

117
Abuse token privilege

• We can use the primitive to


• Enable all privilege in current process token
Eprocess->Token

Token
_RTL_BITMAP

SizeOfBitmap
Privileges
Buffer

118
Abuse token privilege

• We can use the primitive to


• Enable all privilege in current process token

119
The Last Step

• Well-known EoP method with SeDebugPrivilege


• Open process of winlogon.exe
• Set thread attribute to PROC_THREAD_ATTRIBUTE_PARENT_PROCESS
• Spawn cmd.exe

120
121
It's like a Proxy to Kernel !

122
However …

123
124
KS Device in Hyper-V
Application
User Mode
IOCTL_KS_PROPERTY Kernel Mode
I/O Manager

mskssrv drmk mspclock …

ksthunk.sys Audio Filter AVStream

portcls ks ks.sys

HdAudio usbvideo

KS Filter

KsSynchronousIoControlDevice

125
KS Device in Hyper-V
Application
User Mode
IOCTL_KS_PROPERTY Kernel Mode
I/O Manager

mskssrv …

ksthunk.sys No DrmAudioStream
property set
ks.sys

KS Filter

KsSynchronousIoControlDevice

126
127
IOCTL_KS_PROPERTY

• Neither I/O
• Using user input buffer directly
• Inputbuffer = Parameters.DeviceIoControl.Type3InputBuffer
• Outputbuffer = Irp->UserBuffer

128
KspPropertyHandler

User input buffer

129
KspPropertyHandler

130
Let's take a look at UnserializePropertySet again

131
UnserializePropertySet

Copy User input again !?

132
UnserializePropertySet

Copy User input again !?

133
UnserializePropertySet User Input Buffer

Application KSPROPSETID_Service
User Mode
IOCTL_KS_PROPERTY Kernel Mode
I/O Manager

mskssrv …

ksthunk.sys

ks.sys

KS Filter

134
UnserializePropertySet User Input Buffer

Application KSPROPSETID_Service
User Mode
IOCTL_KS_PROPERTY Kernel Mode
I/O Manager SystemBuffer

mskssrv … KSPROPSETID_Service

ksthunk.sys

ks.sys

KsPropertyHandler

If this property set exists,


call UnserializePropertySet
KS Filter

135
UnserializePropertySet User Input Buffer Trigger Race Condition

Application DrmAudioStream
User Mode
IOCTL_KS_PROPERTY Kernel Mode
I/O Manager

mskssrv …

ksthunk.sys

ks.sys

call UnserializePropertySet
KS Filter

136
UnserializePropertySet User Input Buffer

Application DrmAudioStream
User Mode
IOCTL_KS_PROPERTY Kernel Mode
I/O Manager New Input Buffer

mskssrv … DrmAudioStream

ksthunk.sys

ks.sys

call UnserializePropertySet
KS Filter

137
UnserializePropertySet User Input Buffer

Application DrmAudioStream
User Mode
IOCTL_KS_PROPERTY Kernel Mode
RequestorMode
I/O Manager = KernelMode New Input Buffer

mskssrv … DrmAudioStream

ksthunk.sys

ks.sys

KS Filter

KsSynchronousIoControlDevice

138
139
140
Is that the end of it ?

141
142
KS Event

143
KS Event

• Event sets are groups of related events for which a listener can request
notification.
• Client can register event for
• Device State Change
• Time interval
• ...

144
KS Event

• Use IOCTL_KS_ENABLE_EVENT to register


• EVENT_HANDLE
• SEMAPHORE_HANDLE

145
kstunk!ThunkEnableEventIrp

• Transfer 32-bit IOCTL_KS_ENABLE_EVENT requests to 64-bit requests

146
ThunkEnableEventIrp

User input

147
ThunkEnableEventIrp

148
ThunkEnableEventIrp

KernelMode

149
ThunkEnableEventIrp
Application
User Mode
IOCTL_KS_ENABLE_EVENT Kernel Mode
I/O Manager

mskssrv drmk mspclock …

ksthunk.sys Audio Filter AVStream

portcls ks ks.sys

HdAudio usbvideo

KS Filter

150
ThunkEnableEventIrp
Application
User Mode
IOCTL_KS_ENABLE_EVENT Kernel Mode
RequestorMode
I/O Manager = UserMode

mskssrv drmk mspclock …

ksthunk.sys Audio Filter AVStream

portcls ks ks.sys
ThunkEnableEventIrp

HdAudio usbvideo

KS Filter

151
ThunkEnableEventIrp
Application
User Mode
IOCTL_KS_ENABLE_EVENT Kernel Mode
I/O Manager

RequestorMode
= UserMode mskssrv drmk mspclock …

ksthunk.sys Audio Filter AVStream

portcls ks ks.sys
ThunkEnableEventIrp

Convert 32-bit to 64-bit
HdAudio usbvideo

KS Filter

152
ThunkEnableEventIrp
Application
User Mode
IOCTL_KS_ENABLE_EVENT Kernel Mode
I/O Manager

RequestorMode
= UserMode mskssrv drmk mspclock …

ksthunk.sys Audio Filter AVStream

portcls ks ks.sys

HdAudio usbvideo

KS Filter

KsSynchronousIoControlDevice
153
ThunkEnableEventIrp
Application
User Mode
IOCTL_KS_ENABLE_EVENT Kernel Mode
RequestorMode
I/O Manager = KernelMode

mskssrv drmk mspclock …

ksthunk.sys Audio Filter AVStream

portcls ks ks.sys

HdAudio usbvideo

KS Filter

KsSynchronousIoControlDevice

154
We can do arbitrary IOCTL_KS_ENABLE_EVENT
with KernelMode now

155
We need to find a target to EoP

156
But we didn't find a suitable target in ksthunk

157
We decide to pass it down to look for target

158
ThunkEnableEventIrp
Application
User Mode
IOCTL_KS_ENABLE_EVENT Kernel Mode
RequestorMode
I/O Manager = KernelMode

mskssrv drmk mspclock …

ksthunk.sys Audio Filter AVStream

portcls ks ks.sys

HdAudio usbvideo
KspEnableEvent

KS Filter

159
We found some interesting …

160
KspEnableEvent

161
KS Event

• The output buffer is a KSEVENTDATA structure used to specify a


notification method.
• Call from kernel driver
• EVENT_OBJECT
• DPC
• KSWORKITEM
• …

162
We can provide arbitrary kernel object to it !

163
But …

164
ThunkEnableEventIrp

165
ThunkEnableEventIrp

166
Fortunately,
there are double fetch everywhere.

167
ThunkEnableEventIrp

Race window

168
If we trigger the event, it would call
KsGenerateEvent

169
KsGenerateEvent

Arbitrary register DPC

170
KsGenerateEvent

171
KsIncrementCountedWorker

Arbitrary memory increment

172
We have arbitrary increment primitive now

173
Arbitrary increment primitive to EoP

• There are many well-known method


• Abuse token privilege
• IoRing
• …

174
It seems trivial, but ...

175
Arbitrary increment primitive to EoP

• Abuse token privilege


• Need to overwrite Privileges.Enable and Privileges.Present
• Need to trigger the bug multiple times
• It may take a long time

176
Arbitrary increment primitive to EoP

• IoRing
• Need to overwrite IoRing->RegBuffersCount and IoRing->RegBuffers
• Good Candidate
• Only need to trigger the bug twice

177
KsIncrementCountedWorker

178
179
Let's find a new way !

180
Arbitrary increment primitive to EoP

• Abuse token privilege


• The goal is to obtain SeDebugPrivilege
• Open process of winlogon.exe

181
Why does having SeDebugPrivilege allow you to
open high-privilege process?

182
PsOpenProcess

183
PsOpenProcess

184
PsOpenProcess

185
Make abusing token privilege great again
Application
User Mode

Kernel Mode
NtOpenProcess

PsOpenProcess
SeSinglePrivilegeCheck Nt

SeSinglePrivilegeCheck SeDebugPrivilege

0x14
Token

Privileges

Eprocess->Token

186
Make abusing token privilege great again
Application
User Mode

Kernel Mode
NtOpenProcess

PsOpenProcess
Nt

SeSinglePrivilegeCheck SeDebugPrivilege

0x14
Token

Privileges

Eprocess->Token

187
One more interesting …

188
nt!SeDebugPrivilege

Writable !!!

189
Make abusing token privilege great again !

190
Make abusing token privilege great again

191
Make abusing token privilege great again

192
nt!SeChangeNotifyPrivilege

193
How about changing the value of
nt!SeDebugPrivilege from 0x14 to 0x17 ?

194
Make abusing token privilege great again
Application
User Mode

Kernel Mode
NtOpenProcess

PsOpenProcess
SeSinglePrivilegeCheck Nt

SeSinglePrivilegeCheck SeDebugPrivilege

0x17
Token

Privileges

Eprocess->Token

195
Make abusing token privilege great again
Application
User Mode

Kernel Mode
NtOpenProcess

PsOpenProcess
Nt

SeSinglePrivilegeCheck SeDebugPrivilege

0x17
Token

Privileges

Eprocess->Token

196
Make abusing token privilege great again
Application
User Mode

Kernel Mode
NtOpenProcess

PsOpenProcess
Nt

SeSinglePrivilegeCheck SeDebugPrivilege

0x17
Token

Privileges

Eprocess->Token

197
Make abusing token privilege great again

• We can use arbitrary increment primitive to


• Increase nt!SeDebugPrivilege to 0x17

Nt

SeDebugPrivilege

0x17

V1 == 0x14

199
Make abusing token privilege great again

• Not only nt!SeDebugPrivilege, but …


• SeTcbPrivilege = 0x7
• SeTakeOwnershipPrivilege = 0x9
• SeLoadDriverPrivilege = 0xa
• …

200
201
Proxying to Kernel again !

202
203
The Next

204
The Next

• The Overlook bug class


• It may be possible to find more related proxy type bug
• IoBuildDeviceIoControlRequest
• IofCallDriver
• ...
• The timing of setting Irp->RequestorMode to KernelMode is very
important.

205
The Next

• The Attack Surface


• kernel streaming has many components
• Low-hanging fruit
• Hdaudio.sys
• Usbvideo.sys
• …

206
Takeaways

• Looking at historical vulnerabilities is indispensable


• When current exploitation methods no longer work, explore the core
mechanics - you may discover new approaches.

207
Is that the end of it ?

208
CVE-2024-38125

CVE-2024-38055 CVE-2024-38056
CVE-2024-38191
CVE-2024-38054 CVE-2024-38144
CVE-2024-30084
CVE-2024-38052
CVE-2024-35250
CVE-2024-38057 CVE-2024-30090
209
To Be Continued …

210
Thanks!
scwuaptx
[email protected]

211

You might also like