The Last Generic Win32k KASLR Defeat in Windows 10

Presented at REcon 2019, June 29, 2019, 2 p.m. (60 minutes).

This talk will describe the final mistake that Microsoft made when 'fixing' the shared heap (desktop heap and session heap) structures that are shared by User and GDI objects in Win32k.sys, which have leaked kernel pointers for over 2 decades to user-mode. I will cover how existing techniques were broken in Fall Creator's Update (RS4), and how this build, and the subsequent (RS5 and 19H1) had a critical implementation flaw which still made KASLR bypasses possible. Additionally, I will describe the "Segment Heap" that is now used by the kernel for these structures, and some of the interesting attack points for an arbitrary write by breaking a CRC/cookie algorithm. The bug was fixed in November and CVE and bounty issued by Microsoft. * Review/Overview of the two heaps and leaks in user32!gSharedInfo and PEB->GdiSharedHandleTable and TEB->Win32Clientinfo * Changes done in RS4 * The Segment Heap * The bug itself -- keeping the heap header mapped * Other novel use cases -- breaking the CRC segment heap cookie and retrieving more pointers * Potential for LPE through ARW * The current state of KASLR in Windows

Presenters:

  • Alex Ionescu
    Alex Ionescu is the Vice President of EDR Strategy at CrowdStrike, Inc., where he started as its Chief Architect almost eight years ago. Alex is a world-class security architect and consultant expert in low-level system software, kernel development, security training, and reverse engineering. He is coauthor of the last three editions of the Windows Internals series, along with Mark Russinovich and David Solomon. His work has led to the fixing of many critical kernel vulnerabilities, as well as over a few dozen non-security bugs. Previously, Alex was the lead kernel developer for ReactOS, an open source Windows clone written from scratch, for which he wrote most of the Windows NT-based subsystems. During his studies in Computer Science, Alex worked at Apple on the iOS kernel, boot loader, and drivers on the original core platform team behind the iPhone, iPad and AppleTV. Alex is also the founder of Winsider Seminars & Solutions Inc., a company that specializes in low- level system software, reverse engineering and security trainings for various institutions.

Links:

Similar Presentations: