Congratulations, you found a Windows kernel bug! Now what?
Finding a kernel vulnerability is great, but it’s only the first step on the way to a fully weaponized exploit. With every windows version that path becomes harder and less clear, with new mitigations from KASLR and SMEP to HVCI, KCFG and KCET making exploitation harder and breaking existing exploit primitives.
Even vulnerability classes like pool corruption or arbitrary write, which used to be almost trivial to exploit for a full user->kernel EoP are now difficult to turn into a stable, working exploit on modern systems.
Thankfully, Windows comes to the rescue. Windows 11 adds many new features and data structures that give the skilled exploit developer a new set of tools to use. This talk will demonstrate how one of those mechanism can be used to turn one arbitrary write into a full arbitrary kernel read/write primitive. This is done using documented APIs and data structures, while leaving minimal traces that can be used to detect the exploit. This novel technique is simple, clean and easy to understand and implement and has minimal visibility to security products or forensic tools.
This talk is presenting a new post-exploitation technique using the new windows 11 I/O Ring mechanism to turn an arbitrary kernel write bug (or pool corruption, or arbitrary increment) into a full kernel read/write primitive.
First, I’ll present the problem of modern kernel exploitation on Windows – older exploitation primitives no longer working due to new mitigations, inability to execute unsigned or dynamic code, KCFG and KCET breaking indirect code execution and ROP, kernel pool changes preventing certain pool corruption bug classes and exploits and PatchGuard, HyperGuard and KDP protecting sensitive data structures that used to be popular exploitation targets.
Next, I’ll talk about I/O rings: a new I/O mechanism that was first added to Linux (under the name io_uring) and later to Windows 11. I’ll present the feature, its intended use, different abilities, data structures and mechanisms.
Finally, I’ll explain a novel post-exploitation technique that allows turning a generic bug into a full arbitrary read/write primitive, all while using public structures and documented Windows API. I’ll show how this new technique works, its pros and cons and the reasons that make it stealthy and difficult to detect by security products and forensic tools.
Takeaways from this talk:
People who attend this talk will learn about the difficulties of modern exploitation on Windows – the techniques that no longer works, current mitigations and mitigations that will become more common over the next few years and will change the approach to exploitation in the future.
They will learn about a new technique that will allow turning a “simple” bug into a full exploitation primitive – a simple and straightforward technique that can be used “out of the box” with several different bug classes.
This talk will not only present a new post-exploitation technique, but also reveal the research process and the approach that led to its development. This will hopefully allow other researchers to use related concepts to develop other exploitation techniques in the future, even when this one is no longer viable.
About the speaker
Yarden Shafir is a circus artist with a visual studio license. Yarden has a rich background of Windows Internals research and expertise with various EDR capabilities and EPP features.
Yarden spoke at multiple security events including: Paranoia 2021, BlackHat USA 2021, Zer0Con 2021, OPCDE Dubai 2020 and many many others.