If you have ever done Windows debugging or crash dump analysis, you must be familiar with PDB files. These files store debugging information (or 'symbols') about a program, and are parsed by debuggers such as WinDBG and Visual Studio. Researching the parser for those files, implemented by DbgHelp.dll, I discovered several memory corruption vulnerabilities.
One attack surface for triggering these vulnerabilities is serving malformed PDBs through a remote symbol server to a debugger. I reported the issue to Microsoft MSRC, and they decided it doesn't meet the bar for security servicing because the attack surface is too complex. This led me to discover another attack surface, allowing me to use the exact same parsing bug for escalating privileges locally (fixed as CVE-2021-24090). I created a full exploit demonstrating a low-IL process gaining medium-IL privileges.
In this talk, I will describe the vulnerability discovery process and then go into detail about how the bug can be exploited. The exploit bypasses several OS-level mitigations such as ASLR, Heap hardening and CFG.