Proxying to Kernel:Streaming vulnerabilities from Windows Kernel
DAY 1
10:50-
11:30
Over the past few decades, the attack surface in in-the-wild vulnerabilities has gradually shifted from Win32k to CLFS. Microsoft has been consistently and actively patching these vulnerabilities. Who might become the next target? Last year, MSKSSRV became a hot target for hackers. However, it is just a part of the Kernel Streaming.
In this presentation, we are going to reveal the long-overlooked attack surface for privilege escalation in the Windows Kernel, which we exploited to identify over 20 vulnerabilities in just a few months. Our successful Windows LPE at Pwn2Own Vancouver 2024 was actually one of these vulnerabilities, and it was just the tip of the iceberg. That also allows us to compromise across systems from Windows 7 to Windows 11. Additionally, we delve into a novel proxy-based logical bug class used at Pwn2Own that enables us to pivot ourselves into the kernel to ignore most validations. Meanwhile, we will demonstrate how this kind of bug class can lead to severe consequences, making exploitation straightforward.
Through this talk, we’ll share our discovery of this attack surface and the bug class, providing some case studies on the power and elegance of this type of vulnerability. We’ll also introduce techniques for identifying and exploring similar vulnerability patterns, empowering attendees to discover and mitigate future security issues in the Windows ecosystem.
-
Location :
-
Track 1(HALL B)
-
-
Category :
-
Technical
-
-
Share :
Speakers
-
Angelboy Yang
Angelboy・ヤン
An-Jie Yang, aka Angelboy, is a senior security researcher of DEVCORE and a member of CHROOT security group from Taiwan. He is a vulnerability researcher focusing on Windows-related security and was selected as one of the MSRC Most Valuable Security Researchers in 2024. He participated in a lot of CTF, such as HITB, DEFCON, Boston key party and won 2nd in DEFCON CTF 25/27 with HITCON CTF Team. In the past two years, he has pwned several products in Pwn2Own Mobile. He also won the title of the "Master of Pwn" at Pwn2Own Toronto 2022 with the DEVCORE team. He has spoken at several conferences such as HITCON, CODEBLUE, AVTokyo, HITB GSEC.
Twitter @scwuaptx