exploiting cve-2018-8611 · 2020. 2. 21. · notable ktm-related security findings 2010 -...
TRANSCRIPT
![Page 1: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/1.jpg)
Exploiting CVE-2018-8611Windows Kernel Transaction Manager (KTM) Race Condition
Cedric Halbronn - OffensiveCon 2020
1 / 137
![Page 2: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/2.jpg)
2 / 137
![Page 3: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/3.jpg)
AboutExploit Development Group (EDG), NCC GroupWrite exploits to help consultants do their jobFocus on patched vulnerabilities
Cedric Halbronn
Presenting@saidelike, [email protected]
Aaron Adams
Co-researcher, unable to attend@fidgetingbits, [email protected]
3 / 137
![Page 4: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/4.jpg)
This talkDiscuss an interesting race condition affecting Microsoft Kernel Transaction Manager (KTM)
Found used in the wild by KasperskyBoris Larin (@Oct0xor) and Igor Soumenkov (@2igosha)
Exploited by us early 2019Never got to see the original exploit or details
Minimal details from Kaspersky at the timeRace condition in KTMExploitable from inside browser sandboxWorks on Windows 10A few hints for triggering the race
Presented by Aaron at POC2019 in November
4 / 137
![Page 5: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/5.jpg)
Notable KTM-related security findings2010 - CVE-2010-1889 - Tavis Ormandy - invalid free2015 - MS15-038 - James Forshaw - type confusion2017 - CVE-2017-8481 - j00ru - stack memory disclosure2018 - CVE-2018-8611 - Oct0xor/2igosha - Kaspersky blog2019 - Proton Bot malware uses KTM
Used transacted versions of common functions to evade API inspection
5 / 137
![Page 6: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/6.jpg)
Oct0xor/2igosha - Kaspersky blog
6 / 137
![Page 7: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/7.jpg)
Me when reading write-up
7 / 137
![Page 8: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/8.jpg)
ToolingVirtualization: VMWare WorkstationBinary analysis: IDA Pro, Hex-Rays DecompilerBinary diffing: DiaphoraCollaboration: IDArlingDebugging: WinDbg (ring0), virtualkd, x64dbg (ring3)Additional plugins/tools: ret-sync, HexRaysPyToolsStructure analysis: Vergilius Project, ReactOS sourceSyscall numbers: windows-syscalls by j00ruSlides: Remarkjs
8 / 137
![Page 9: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/9.jpg)
Diffing - functions
9 / 137
![Page 10: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/10.jpg)
Diffing - assembly
10 / 137
![Page 11: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/11.jpg)
Diffing - Hex-Rays pre-cleanup
11 / 137
![Page 12: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/12.jpg)
AgendaWhat is KTM?Patch analysisTriggering the bugFinding a write primitiveBuilding a read primitivePrivilege escalationRecent bonus info
12 / 137
![Page 13: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/13.jpg)
Windows Kernel Transaction Manager (KTM)
13 / 137
![Page 14: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/14.jpg)
KTM - What is it?MSDN documentation
KTM Portal
14 / 137
![Page 15: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/15.jpg)
KTM - What is it?Kernel service added in Windows Vista (~2006)
Windows 7 and earlier: ntoskrnl.exeWindows 8 and later: tm.sys
Provide "ACID" functionality: atomic, consistent, isolated, and durableKTM service used by two major Windows components
Transactional RegistryTransactional NTFS
A few dozen APIs/system calls exposed to userland
15 / 137
![Page 16: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/16.jpg)
Important objectsKTM service has 4 fundamental kernel objects
All referenced counted objects created by ObCreateObject()Transaction Manager (TM)
Manages a log of transactions associated with one or more resource managersResource Manager (RM)
Manages enlistments related to a specific managed resource doing work for a TransactionTransaction (Tx)
Tracks a series of sub actions making up a single atomic operationEnlistment (En)
Some code responsible for doing work related to a Transaction
16 / 137
![Page 17: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/17.jpg)
Important objects
17 / 137
![Page 18: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/18.jpg)
Transaction Manager (TM)Created using CreateTransactionManager()
Usually first to exist
HANDLE CreateTransactionManager( IN LPSECURITY_ATTRIBUTES lpTransactionAttributes, LPWSTR LogFileName, IN ULONG CreateOptions, IN ULONG CommitStrength);
Allocates a _KTM structure on the non-paged poolTmTm pool tag
A resource manager must be associated with some TMOptional log for transactions
A volatile TM is one that uses no log fileSet TRANSACTION_MANAGER_VOLATILE flag in CreateOptions parameterLogs have limited size - problematic for exploitation
18 / 137
![Page 19: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/19.jpg)
_KTMMost fields omitted
//0x3c0 bytes (sizeof)struct _KTM{ ULONG cookie; //0x0 struct _KMUTANT Mutex; //0x8 enum KTM_STATE State; //0x40 [...] ULONG Flags; //0x80 [...] struct _KRESOURCEMANAGER* TmRm; //0x2a8 [...]};
19 / 137
![Page 20: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/20.jpg)
Resource Manager (RM)Created using CreateResourceManager()
HANDLE CreateResourceManager( IN LPSECURITY_ATTRIBUTES lpResourceManagerAttributes, IN LPGUID ResourceManagerId, IN DWORD CreateOptions, IN HANDLE TmHandle, LPWSTR Description);
Must be passed a TM handleOptional Description parameterAllocates a _KRESOURCEMANAGER structure on the non-paged pool
TmRm pool tag
20 / 137
![Page 21: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/21.jpg)
_KRESOURCEMANAGER
//0x250 bytes (sizeof)struct _KRESOURCEMANAGER{ struct _KEVENT NotificationAvailable; //0x0 ULONG cookie; //0x18 enum _KRESOURCEMANAGER_STATE State; //0x1c ULONG Flags; //0x20 struct _KMUTANT Mutex; //0x28 [...] struct _KQUEUE NotificationQueue; //0x98 struct _KMUTANT NotificationMutex; //0xd8 struct _LIST_ENTRY EnlistmentHead; //0x110 ULONG EnlistmentCount; //0x120 LONG (*NotificationRoutine)(struct _KENLISTMENT* arg1, VOID* arg2, VOID* arg3, ULONG arg4, union _LARGE_INTEGER* arg5, ULONG arg6, VOID* arg7); //0x128 [...] struct _KTM* Tm; //0x168 struct _UNICODE_STRING Description; //0x170 [...]};
21 / 137
![Page 22: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/22.jpg)
_KRESOURCEMANAGER fieldsTm - Pointer to the associated transaction managerDescription - Unicode description of resource managerMutex - Locks RM. Other code cannot
Parse the resource manager's enlistments listRead Descriptionetc.
EnlistmentHead - List of associated enlistments with resource managerNotificationQueue - Notification events
Queried from ring3 to read enlistment state change events
22 / 137
![Page 23: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/23.jpg)
Transaction (Tx)Created using CreateTransaction() function
HANDLE CreateTransaction( IN LPSECURITY_ATTRIBUTES lpTransactionAttributes, IN LPGUID UOW, IN DWORD CreateOptions, IN DWORD IsolationLevel, IN DWORD IsolationFlags, IN DWORD Timeout, LPWSTR Description);
Creates a _KTRANSACTION structure on the non-paged pool usingTmTx pool tag
Represents whole piece of work to be doneResource managers enlist in this transaction to complete the work
23 / 137
![Page 24: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/24.jpg)
_KTRANSACTION
//0x2d8 bytes (sizeof)struct _KTRANSACTION{ struct _KEVENT OutcomeEvent; //0x0 ULONG cookie; //0x18 struct _KMUTANT Mutex; //0x20 [...] struct _GUID UOW; //0xb0 enum _KTRANSACTION_STATE State; //0xc0 ULONG Flags; //0xc4 struct _LIST_ENTRY EnlistmentHead; //0xc8 ULONG EnlistmentCount; //0xd8 [...] union _LARGE_INTEGER Timeout; //0x128 struct _UNICODE_STRING Description; //0x130 [...] struct _KTM* Tm; //0x200 [...]};
24 / 137
![Page 25: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/25.jpg)
Enlistments (En)Created using CreateEnlistment()
hEn = CreateEnlistment( NULL, // lpEnlistmentAttributes hRM, // ResourceManagerHandle - Existing resource manager handle hTx, // TransactionHandle - Existing transaction handle 0x39ffff0f, // NotificationMask - Special value to receive all possible notifications 0, // CreateOptions NULL // EnlistmentKey );
Allocates a _KENLISTMENT structure on the non-paged poolTmEn pool tag
Each has an assigned GUIDMust be associated with both a resource manager and a transactionTypically a transaction will have multiple enlistments
25 / 137
![Page 26: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/26.jpg)
_KENLISTMENT
//0x1e0 bytes (sizeof)struct _KENLISTMENT{ ULONG cookie; //0x0 struct _KTMOBJECT_NAMESPACE_LINK NamespaceLink; //0x8 struct _GUID EnlistmentId; //0x30 struct _KMUTANT Mutex; //0x40 struct _LIST_ENTRY NextSameTx; //0x78 struct _LIST_ENTRY NextSameRm; //0x88 struct _KRESOURCEMANAGER* ResourceManager; //0x98 struct _KTRANSACTION* Transaction; //0xa0 enum _KENLISTMENT_STATE State; //0xa8 ULONG Flags; //0xac ULONG NotificationMask; //0xb0 [...]};
26 / 137
![Page 27: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/27.jpg)
_KENLISTMENT fields of interestTransaction - The transaction that the enlistment is actually doing work forFlags - Indicates the type and state of the enlistmentMutex - Locks the enlistment and prevents other code from manipulating itState - The current state of the enlistment in relation to the transactionNotificationMask - Which notifications should be queued to the resource manager related to this enlistmentNextSameRm - A linked list of enlistments associated with the same resource manager
This is the list entry whose head is _KRESOURCEMANAGER.EnlistmentHead
27 / 137
![Page 28: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/28.jpg)
_KENLISTMENT flagsThe Flags field uses undocumented flags
enum KENLISTMENT_FLAGS { KENLISTMENT_SUPERIOR = 0x01, KENLISTMENT_RECOVERABLE = 0x02, KENLISTMENT_FINALIZED = 0x04, KENLISTMENT_FINAL_NOTIFICATION = 0x08, KENLISTMENT_OUTCOME_REQUIRED = 0x10, KENLISTMENT_HAS_SUPERIOR_SUB = 0x20, KENLISTMENT_IS_NOTIFIABLE = 0x80, KENLISTMENT_DELETED = 0x80000000};
28 / 137
![Page 29: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/29.jpg)
How to finalize and free an enlistment?Enlistments are a reference counted objectCall some code path that triggers TmpFinalizeEnlistment() to lower ref count
A Prepared enlistment upon moving to Committed state will be finalizedUse CommitComplete() function on enlistment handle
Then CloseHandle() to remove our final userland referenceEither frees immediately, or upon any other KTM kernel code doing final dereference
29 / 137
![Page 30: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/30.jpg)
Structure relationship overview
30 / 137
![Page 31: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/31.jpg)
Transaction and Enlistment StatesTransaction not complete until all enlistments have committedTransaction cannot be committed until all of enlistments transition through a series of synchronized statesA transaction with only one enlistment is the exceptionTypical state transitions
PrePreparing -> PrePrepared -> Preparing -> Prepared -> Committed
31 / 137
![Page 32: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/32.jpg)
_KENLISTMENT_STATEDocumented
enum _KENLISTMENT_STATE{ //... KEnlistmentPreparing = 257, KEnlistmentPrepared = 258, KEnlistmentCommitted = 260, //... KEnlistmentPreparing = 257, //... KEnlistmentPrePreparing = 266, //... KEnlistmentPrePrepared = 273,};
32 / 137
![Page 33: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/33.jpg)
NotificationsDictated by enlistment NotificationMask option at creationEach RM has a set of associated Tx notifications that occur on milestone events, such as an En switching fromone state to anotherNotifications can be read using GetNotificationResourceManager()The events are queued/retrieved using FIFO
BOOL GetNotificationResourceManager(IN HANDLE ResourceManagerHandle,OUT PTRANSACTION_NOTIFICATION TransactionNotification,IN ULONG NotificationLength,IN DWORD dwMilliseconds,OUT PULONG ReturnLength);
TRANSACTION_NOTIFICATION struct contains a TRANSACTION_NOTIFICATION_RECOVERY_ARGUMENTTells us which En a notification is associated with
33 / 137
![Page 34: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/34.jpg)
RecoveryIf a Tx fails or is interrupted for whatever reason, it can be possible to recoverRecovery in part possible by calling RecoverResourceManager()
BOOL RecoverResourceManager(IN HANDLE ResourceManagerHandle);
During this recovery phase, each enlistment associated with transactions in specific states will receive anotificationAllows the enlisted workers to synchronize on what they were doing for the transaction
34 / 137
![Page 35: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/35.jpg)
Understanding CVE-2018-8611
35 / 137
![Page 36: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/36.jpg)
Diffing - functions
36 / 137
![Page 37: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/37.jpg)
Diffing - assembly
37 / 137
![Page 38: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/38.jpg)
Diffing - Hex-Rays pre-cleanup
38 / 137
![Page 39: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/39.jpg)
Diffing - Hex-Rays post-cleanup
39 / 137
![Page 40: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/40.jpg)
40 / 137
![Page 41: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/41.jpg)
41 / 137
![Page 42: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/42.jpg)
42 / 137
![Page 43: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/43.jpg)
43 / 137
![Page 44: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/44.jpg)
44 / 137
![Page 45: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/45.jpg)
45 / 137
![Page 46: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/46.jpg)
46 / 137
![Page 47: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/47.jpg)
47 / 137
![Page 48: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/48.jpg)
48 / 137
![Page 49: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/49.jpg)
49 / 137
![Page 50: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/50.jpg)
50 / 137
![Page 51: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/51.jpg)
What does TmRecoverResourceManager() normally do?
51 / 137
![Page 52: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/52.jpg)
Vulnerability analysis key pointsA recovering _KRESOURCEMANAGER is unlocked in order to queue a notificationCode retains pointer to associated _KENLISTMENT, but no lockSends notifications about said _KENLISTMENTAttempts to tell if _KENLISTMENT is finalized, but in a racable locationDrops the reference count by 1, which allows it to become freed if already finalizedRelocks _KRESOURCEMANAGERTests for a boolean that wasn't set if race condition occursUses retained _KENLISTMENT pointer_KENLISTMENT could now be freed
52 / 137
![Page 53: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/53.jpg)
Triggering CVE-2018-8611
53 / 137
![Page 54: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/54.jpg)
Faking a race winUse WinDbg to force race window openPatch KeWaitForSingleObject() so we guarantee pEnlistment is freed
Patch is just an infinite loop
//... ObfDereferenceObject(pEnlistment); KeWaitForSingleObject(&pResMgr->Mutex, Executive, 0, 0, 0i64); //... } else { ObfDereferenceObject(pEnlistment); }
if ( bEnlistmentIsFinalized ) { pEnlistment_shifted = EnlistmentHead_addr->Flink; bEnlistmentIsFinalized = 0; } else { pEnlistment_shifted = pEnlistment->NextSameRm.Flink; }
After freeing all _KENLISTMENTS test if pEnlistment->NextSameRm references freed memory
54 / 137
![Page 55: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/55.jpg)
Which _KENLISTMENT to free?If we spam a lot of _KENLISTMENT and try to repeatably race...
How do we know which one to free?Can't just free them all every time, as we want to maximize attempts
GetNotificationResourceManager() tells us what a enlistment has been touched by the loop!Vulnerable function unlocks the RM specifically to send a notification
Correlate the notification to the enlistment, and free itRemove infinite loop after we triggered free from userlandIf UAF triggers, it confirms our understanding of the bugRun with Driver Verifier to easily confirm
55 / 137
![Page 56: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/56.jpg)
Exploitable loop state
56 / 137
![Page 57: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/57.jpg)
Actually winning the raceHow do we win this race without patching KeWaitForSingleObject()?
Was hinted in the Kaspersky blog (though still not obvious to us for quite some time)Suspend the thread stuck in the TmRecoverResourceManager() causing it to effectively block until woken up
A thread will become blocked on some natural blocking pointLike waiting to lock the congested RM mutex
Congest RM lock to increase likelihood of thread suspending where we wantHave a higher priority thread constantly triggering syscall that locks RMEx: Query the RM description (NtQueryInformationResourceManager)
ResultIf thread suspended at right place, we have all the time in the world to free the enlistmentIf not, no UAF happens, and we keep trying
57 / 137
![Page 58: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/58.jpg)
Lock congestion
58 / 137
![Page 59: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/59.jpg)
Lock congestion
59 / 137
![Page 60: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/60.jpg)
Lock congestion
60 / 137
![Page 61: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/61.jpg)
Lock congestion
61 / 137
![Page 62: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/62.jpg)
Lock congestion
62 / 137
![Page 63: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/63.jpg)
Lock congestion
63 / 137
![Page 64: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/64.jpg)
Lock congestion
64 / 137
![Page 65: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/65.jpg)
Lock congestion
65 / 137
![Page 66: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/66.jpg)
Lock congestion
66 / 137
![Page 67: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/67.jpg)
Thread suspension detectionHow can you tell if a thread is suspended?
Use NtQueryThreadInformation() to query threadThreadInformationClass of ThreadLastSyscallReturns STATUS_UNSUCCESSFUL if thread is not suspended
67 / 137
![Page 68: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/68.jpg)
Lock congestion
68 / 137
![Page 69: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/69.jpg)
Lock congestion
69 / 137
![Page 70: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/70.jpg)
Lock congestion
70 / 137
![Page 71: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/71.jpg)
Lock congestion
71 / 137
![Page 72: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/72.jpg)
Lock congestion
72 / 137
![Page 73: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/73.jpg)
Lock congestion
73 / 137
![Page 74: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/74.jpg)
_KENLISTMENT replacementWe know everything is on the non-paged poolWe know the size of the _KENLISTMENTNon-paged pool feng shui is the obvious approach
74 / 137
![Page 75: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/75.jpg)
Non-Paged pool feng shuiWidely known, not too widely shared?
Alex Ionescu in 2014Andreas Fobian from Blue Frost Security in 2020
75 / 137
![Page 76: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/76.jpg)
Non-Paged pool feng shuiNamed Pipe writes allocate on non-paged pool
Code handled by npfs.sys (tracked by NpFr pool tag)Persistent until other end of pipe reads dataChunk free occurs when data is readSize of chunk is fully controlledAll data of chunk aside from DATA_ENTRY is fully controlled
Data prefixed with an undocumented DATA_ENTRY structure (changed among Windows versions)ReactOS is best starting point (reversing/hexdump for relevant changes)
76 / 137
![Page 77: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/77.jpg)
Feng shui layout #1
As usual, want to avoid coalescing causing big holesWrites on alternate named pipes
77 / 137
![Page 78: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/78.jpg)
Feng shui layout #2
78 / 137
![Page 79: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/79.jpg)
Feng shui layout #3
79 / 137
![Page 80: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/80.jpg)
Feng shui layout #4
80 / 137
![Page 81: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/81.jpg)
Feng shui layout #5
81 / 137
![Page 82: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/82.jpg)
Faking a _KENLISTMENT with a named pipe chunk
82 / 137
![Page 83: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/83.jpg)
End result
83 / 137
![Page 84: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/84.jpg)
What about delayed free list?Allocator optimisation to free chunks when the delayed free list is full only
Since Windows VistaWaits for it to contain 32 chunksDelayed free list is flushed and all 32 chunks are actually freed
84 / 137
![Page 85: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/85.jpg)
What about delayed free list?Turns out it does not matter for us since
If we win the race but UAF enlistment chunk is not effectively freedChunk content will not be replaced by anything else so NextSameRm.Flink usedTmRecoverResourceManager loop will just continue with following enlistment in list
We can win the race again laterCan still improve triggering the UAF fast by just freeing 32 chunks to bypass delayed free
85 / 137
![Page 86: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/86.jpg)
Detecting a race winHow seize control of loop?No SMAP on Windows!
86 / 137
![Page 87: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/87.jpg)
Detecting a race win
87 / 137
![Page 88: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/88.jpg)
Now what?
88 / 137
![Page 89: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/89.jpg)
Trap enlistment
Inject list of new enlistments into Flink when readyTail of new list of enlistments can be another trap
89 / 137
![Page 90: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/90.jpg)
Detecting a race win - key pointsNo SMAP on Windows!Replacement _KENLISTMENT->NextSameRM points to yet another fake userland _KENLISTMENTUserland _KENLISTMENT->NextSameRM points to itselfWe refer to this as a 'trap' enlistmentKernel is now temporarily stuck in an infinite loopKernel unsets KENLISTMENT_IS_NOTIFIABLE flag on userland enlistment
This modification in userland tells us we won!
90 / 137
![Page 91: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/91.jpg)
Debugging a race win?
91 / 137
![Page 92: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/92.jpg)
Debugging a race win?
92 / 137
![Page 93: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/93.jpg)
How to escape the loop?We have control of the loop nowWe need a write primitive of some kindBut also need to escape the loop?
93 / 137
![Page 94: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/94.jpg)
Initial kernel pointer leak
Thank you KeWaitForSingleObject()
94 / 137
![Page 95: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/95.jpg)
Escaping the loopWe can now exit the loop!Introduce an 'escape' enlistmentSet KENLISTMENT->NextSameRm = &_KRESOURCEMANAGER.EnlistmentHeadExit cleanlyNo crashes.. reproducable testing, etc.
95 / 137
![Page 96: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/96.jpg)
What an escape looks like
LWP = Limited Write Primitive (explained soon)
96 / 137
![Page 97: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/97.jpg)
Building a write primitive
97 / 137
![Page 98: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/98.jpg)
Vulnerable loop constraintsFinding a write primitive is somewhat limitedWe are stuck inside this recovery loopWhat code paths do we follow?KeReleaseMutex() seemed best
List-based mirror-write primitives are safe unlinked after Windows 7 :(Keep looking...
Found an arbitrary increment inside KiTryUnwaitThread() call
if ( (OwnerThread->WaitRegister.Flags & 3) == 1 ) { ThreadQueue = OwnerThread->Queue; if ( ThreadQueue ) _InterlockedAdd(&ThreadQueue->CurrentCount, 1u);
But things get complicated..
98 / 137
![Page 99: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/99.jpg)
Arbitrary increment primitiveKeReleaseMutex() - KeReleaseMutant() wrapper
KeReleaseMutant() - Our high level primitive functionKiTryUnwaitThread() - Gives us our increment primitiveKiProcessThreadWaitList() - Unavoidable because of increment primitive
KiUnlinkWaitBlocks() - Have to satisfy its attempt to unlinkKiReadyThread() - Unavoidable call on our fake thread
KiRequestProcessInSwap() - Have to satisfy early exit
99 / 137
![Page 100: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/100.jpg)
Repeatable arbitrary address incrementToo complicated to explain in detailFollow up blog series covers line by linePositives
Can chain multiple increments togetherEffectively an arbitrary write primitive
NegativesNeed to know the starting contents of the address being written toSome risks related to running at DISPATCH_LEVEL
100 / 137
![Page 101: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/101.jpg)
Primitive injection at a glance
101 / 137
![Page 102: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/102.jpg)
What does our increment primitive look like?
Lots of constraintsSome requirements change across OS versions
102 / 137
![Page 103: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/103.jpg)
Me running the LWP primitive
103 / 137
![Page 104: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/104.jpg)
Building an arbitrary kernel read primitive
104 / 137
![Page 105: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/105.jpg)
What to do?We have an arbitrary write as long as we know original valueWe know where _KRESOURCEMANAGER isWe can avoid setting a Description field when creating the RM
Means we know _UNICODE_STRING Length and Name are both zeroPoint anywhere we wantCall NtQueryInformationResourceManager syscall to get descriptionRinse and repeat
105 / 137
![Page 106: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/106.jpg)
What does our read primitive look like?
106 / 137
![Page 107: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/107.jpg)
How is that possible in practice?What if we need to get a really big value?Or need to wrap around to get a smaller value?Are we going to need 2^64 increments?
Fortunately no, there is a trick (max 2*(256*8) = 2048 writes)Split the increments across 8 different addressesEach byte of the 64-bit value incremented 256 or less times
107 / 137
![Page 108: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/108.jpg)
Efficient use of increment
108 / 137
![Page 109: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/109.jpg)
Efficient use of increment
109 / 137
![Page 110: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/110.jpg)
Efficient use of increment
110 / 137
![Page 111: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/111.jpg)
Efficient use of increment
111 / 137
![Page 112: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/112.jpg)
Efficient use of increment
112 / 137
![Page 113: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/113.jpg)
Efficient use of increment
113 / 137
![Page 114: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/114.jpg)
Efficient use of increment
114 / 137
![Page 115: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/115.jpg)
Efficient use of increment
115 / 137
![Page 116: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/116.jpg)
Efficient use of increment
116 / 137
![Page 117: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/117.jpg)
Efficient use of increment
117 / 137
![Page 118: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/118.jpg)
Efficient use of increment
118 / 137
![Page 119: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/119.jpg)
Efficient use of increment
119 / 137
![Page 120: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/120.jpg)
Efficient use of increment
120 / 137
![Page 121: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/121.jpg)
Efficient use of increment
121 / 137
![Page 122: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/122.jpg)
Efficient use of increment
122 / 137
![Page 123: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/123.jpg)
Efficient use of increment
123 / 137
![Page 124: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/124.jpg)
How is that possible in practice?Max 2*(256*8) = 2048 writes
< 256*8 writes to reset value to zero< 256*8 writes to set value to anything
124 / 137
![Page 125: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/125.jpg)
Privilege escalation
125 / 137
![Page 126: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/126.jpg)
Data only attack - Using the increment primitiveWe can trigger the increment primitive indefinitelyUse the increment write primitive to enable an arbitrary read primitiveUse the read primitive to read SYSTEM tokenUse the write primitive to adjust our EPROCESS token to SYSTEMCaveats: If EPROCESS token is read during our slow adjustment, we BSOD
If Task Manager is runningIf Process Explorer is running
126 / 137
![Page 127: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/127.jpg)
Exploiting Windows 10 1809 (RS5) x86/x64Data only attackBypassing kernel CFG wasn't investigated (yet)
But primitives should make it doableOnly major x64 and x86 differences is structure sizes and offset
Except for the following thing to come...Relatively easy to port to all versions back to Vista
127 / 137
![Page 128: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/128.jpg)
Bonus - BlueHat Shanghai May 2019
128 / 137
![Page 129: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/129.jpg)
Bonus - The "invisible" paperTurns out Kaspersky presented on this in May 2019 at BlueHat Shanghai 2019
Boris Larin (@oct0xor) and Anton Ivanov (@antonivanovm)Explains some of what we just described
Found after we got accepted to speak at POC2019win32k syscall filter search keywords found it by accidentSearching CVE-2018-8611 or KTM did not
129 / 137
![Page 130: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/130.jpg)
Me reading the paper
130 / 137
![Page 131: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/131.jpg)
Bonus - The "invisible" paperActually quite happy in the end we never saw it!Most interesting highlight
0day exploit used multiple different approaches from us
131 / 137
![Page 132: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/132.jpg)
Bonus - Race winning detection0day didn't use same trap enlistment approach to detect race winUsed Event Notification object to trap kernel on KeWaitForSingleObject()
Swap object type after detectionModified mutex allows write 0 primitive (similar code path to ours)Positives
It's interesting to see a different approachNegatives
Must modify every mutex that gets touched by loopMore complicated than our primitive
132 / 137
![Page 133: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/133.jpg)
Bonus - Write primitive: No increment, write 0 only0day didn't use the increment primitive either!Abused an earlier write 0 in same KeReleaseMutex() code path
Writes a sizeof(void *) 0 value to any addressLeast significant bit must already be 0 to avoid deadlock
PositivesReduced setup complexity to reach write primitive
NegativesDoesn't work on all OS versions
Vista x64 due to code differencesVista/7 x86 because whole pointer required to be 0 in the first place (different macro)
Situationally less powerful primitive
133 / 137
![Page 134: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/134.jpg)
Bonus - What to write with 0?0day targeted KTHREAD.PreviousMode field
First documented by Tarjei Mandt in 2011Misaligned write to this field allows setting to 0Unrestricted NtReadVirtualMemory() and NtWriteVirtualMemory()
Arbitrary kernel read/writePositives:
Super powerful (64-bit)Possibly first in-the-wild use?
NegativesDoesn't work on x86 due to PreviousMode being reset to UserMode based on CS when syscall entered
134 / 137
![Page 135: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/135.jpg)
Demo
135 / 137
![Page 136: Exploiting CVE-2018-8611 · 2020. 2. 21. · Notable KTM-related security findings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion](https://reader036.vdocuments.us/reader036/viewer/2022081614/5fc5eac4fe0bf336335d1507/html5/thumbnails/136.jpg)
ConclusionQuite reliably exploitable race condition leading to UAFVery interesting and fun to exploitShould be usable to bypass most kernel mitigations (if necessary)
KASLR, SMEP, CFG, etc.Our approach differed significantly from 0day
Both methods have a lot of value!Tons of details still missing
Follow up 5 part blog series coming
136 / 137