Time Table

Over the past few decades, the attack surface in in-the-wild vulnerabilities has gradually shifted from Win32k to CLFS. Microsoft has been consistently and actively patching these vulnerabilities. Who might become the next target? Last year, MSKSSRV became a hot target for hackers. However, it is just a part of the Kernel Streaming.

In this presentation, we are going to reveal the long-overlooked attack surface for privilege escalation in the Windows Kernel, which we exploited to identify over 20 vulnerabilities in just a few months. Our successful Windows LPE at Pwn2Own Vancouver 2024 was actually one of these vulnerabilities, and it was just the tip of the iceberg. That also allows us to compromise across systems from Windows 7 to Windows 11. Additionally, we delve into a novel proxy-based logical bug class used at Pwn2Own that enables us to pivot ourselves into the kernel to ignore most validations. Meanwhile, we will demonstrate how this kind of bug class can lead to severe consequences, making exploitation straightforward.

Through this talk, we’ll share our discovery of this attack surface and the bug class, providing some case studies on the power and elegance of this type of vulnerability. We’ll also introduce techniques for identifying and exploring similar vulnerability patterns, empowering attendees to discover and mitigate future security issues in the Windows ecosystem.