From Logic to Memory: Winning the Solitaire in Reparse Points

Presented at Black Hat Europe 2021, Nov. 11, 2021, 3:20 p.m. (40 minutes)

In recent years, two types of reparse points: mount point and symlink are frequently used in file redirection vulnerabilities in Windows system services. Hundreds of logic vulnerabilities (from permanent DoS and info leak to privilege escalation) were discovered under this attack surface. Besides fixing those vulnerabilities, Microsoft also released many mitigations to make this bug class harder and harder to exploit successfully and stably. This presentation shows a 0-day logic vulnerability which bypasses all current mitigations with undisclosed exploit techniques and wins Windows EoP category in Pwn2Own 2021. All details, from finding the bug in one day with a unique vulnerability discovery strategy to winning a seemingly impossible race window stably, will be covered.

But the story does not end here. Microsoft stopped granting bug bounties to that bug class and is releasing more and more mitigations to kill the bug class fully. It seems to be the end of the reparse points era, but things are not always that easy. There are over fifty types of tags in reparse points, mount point and symlink are only two of them. After exploring other tags in reparse points, several memory corruption EoP bugs were found among them. Interestingly, in our findings there is one function containing three kinds of bugs: out of boundary read, out of boundary write and race condition; more interestingly, the same vulnerable function appears in several different Windows components. We reported our findings to Microsoft and fastly got bug bounties from them to reward our new discoveries. Memory corruption EoP bugs in reparse points could lead to the native code execution in Windows system services and escalate the privilege to SYSTEM directly, all previous and future mitigations against logic EoP bugs in reparse points are useless. This presentation unveils this new and less noticed attack surface for memory corruption EoP bugs in reparse points.


Presenters:

  • Bo Qu - Senior Director, Palo Alto Networks
    Dr. Bo Qu is a Sr. Director at Palo Alto Networks. His skills include vulnerability research and coverage, bug hunting, reverse engineering, binary diff, exploitability research and analysis, and vulnerability reproducing and coverage. He also conducts research on iOS, Android, and other mobile OS security.
  • Tao Yan - Senior Principal Researcher, Palo Alto Networks
    Tao Yan (@Ga1ois) is a senior principal researcher at Palo Alto Networks. He focuses on new attack surfaces discovery, new research methods exploration (including but not limited to vulnerability discovery and exploitation methods) and system internals research from both offensive and defensive perspectives. His interests include bug findings with fuzzing and static code review, exploits, mitigations bypass, sandbox escape and privilege escalation on various applications and modules including browsers, Flash, RDP, COM/RPC, etc, in the meantime, he has also been involved with exploits, APTs, malware detection and defense. He has been listed as #7 researcher in 2016 and #4 researcher in 2017 for MSRC Top 100 Researchers. He is also the winner of the local escalation of privilege category in Pwn2own 2021. In addition, he is a regular security patents inventor and security conferences speaker including CanSecWest, POC, HITCON, Recon, BlueHat and Black Hat.

Links:

Similar Presentations: