Why so Spurious? How a Highly Error-Prone x86/x64 CPU "Feature" can be Abused to Achieve Local Privilege Escalation on Many Operating Systems

Presented at Black Hat USA 2018, Aug. 8, 2018, 4 p.m. (50 minutes)

There exists a "feature" in the x86 architecture that, due to improper programming by many operating system vendors, can be exploited to achieve local privilege escalation. At the time of discovery, this issue was present on the latest-and-greatest versions of Microsoft Windows, Apple's macOS, and certain distributions of Linux. This issue, very likely, impacts other operating systems on the x86 architecture.

For both Intel and AMD CPUs, this vulnerability can be utilized to reliably and successfully exploit Windows 10 by replacing the access token of the current process with the SYSTEM token from an unprivileged and sandboxed usermode application. This results in local privilege escalation. On AMD hardware, if SMAP/SMEP is disabled, this vulnerability can be exploited without failure since arbitrary user-specified memory can be utilized in CPL 0.

Presenters:

• Nicolas Peterson - Anti-Cheat Engineer,  
  Nick Peterson started his career in reverse-engineering with World of Warcraft at age 15. This kicked off his interest in low level internals and he began a deep dive into the x86 architecture which led him to create a functioning hobby OS by the age of 21. Drawn to the cat and mouse game frequently played between anti-cheat and cheat developers, he continued running subscription based cheat platforms until he was hired into the Anti-Cheat space by ESEA. Today, Nick finds himself doing similar low level work at Riot Games.
• Nemanja Mulasmajic - Anti-Cheat Engineer,  
  Nemanja Mulasmajic is an Anti-Cheat Engineer at Riot Games. After starting his career in information security with a brief stint at the Department of Defense, Nemanja, a lifelong gamer, realized that his true passions lied with video games. This caused him to transition from his job at the government into a career in the video gaming industry. Nemanja's first job in the gaming sphere was at Blizzard Entertainment. There he worked on architecting the Anti-Cheat system that protects Overwatch. Now, Nemanja works at Riot Games where he builds new cheat prevention and detection solutions for League of Legends.

Links:

• https://www.blackhat.com/us-18/briefings/schedule/#why-so-spurious-how-a-highly-error-prone-x86x64-cpu-feature-can-be-abused-to-achieve-local-privilege-escalation-on-many-operating-systems-11196

Similar Presentations:

• Black Hat USA 2012 / A Stitch in Time Saves Nine: A Case of Multiple Operating System Vulnerability
• Black Hat USA 2019 / Battle of Windows Service: A Silver Bullet to Discover File Privilege Escalation Bugs Automatically
• 31C3 (2014) / AMD x86 SMU firmware analysis: Do you care about Matroshka processors?