Cache the Frames, Catch the Vulnerabilities in Kernel Streaming
DAY 1
14:20-
15:00
Kernel Streaming emerged as a new attack surface in the Windows kernel last year, leading to multiple in-the-wild exploits. Over the past year we uncovered “proxying to kernel”, a logical bug class that bypasses many privilege checks, making exploitation straightforward. However, this is only the tip of the iceberg for Kernel Streaming.
This time, we focus on one of the most common inputs to Kernel Streaming—frames from a webcam. To boost performance, Kernel Streaming introduced an MDL cache mechanism, but it also opened new vulnerabilities. In this talk, we’ll reveal a new array of bug classes, with 10+ vulnerabilities. We’ll explain the design flaws behind them, why they may look unexploitable at first, and how we turn some into arbitrary physical-memory writes.
By witnessing the power of these bugs, attendees will be able to discover and defend against more local privilege-escalation flaws in Windows.
-
Location :
-
Track 1(HALL B)
-
-
Category :
-
Technical
-
-
Share :
Speakers
-
Angelboy Yang
Angelboy・ヤン
An-Jie Yang, aka Angelboy, is a senior security researcher of DEVCORE and a member of CHROOT security group from Taiwan. He is a vulnerability researcher focusing on Windows-related security and was selected as one of the MSRC Most Valuable Security Researchers in 2024 and 2025. He participated in a lot of CTF, such as HITB, DEFCON, Boston key party and won 2nd in DEFCON CTF 25/27 with HITCON CTF Team. In the past two years, he has pwned several products in Pwn2Own Mobile. He also won the title of the 'Master of Pwn' at Pwn2Own Toronto 2022 with the DEVCORE team. He has spoken at several conferences such as HITCON, CODEBLUE, AVTokyo, HITB GSEC.
X(twitter): @scwuaptx