For example, for the traditional memory damage vulnerabilities, the vulnerability itself will affect the running of the kernel. Kernel Information LeakĪs a kind of kernel vulnerability, it has its own uniqueness. In order to bypass KASLR, a direct countermeasure is to discover vulnerabilities that leak valuable information from the kernel mode to calculate the address of kernel module or kernel object. The above is the traditional way to get the kernel module address and kernel object address, as the kernel normal feature.īut after win8, low integrity application will fail in calling these functions. * SystemFullProcessInformation NtQueryInfomationThread NtQueryInfomationProcess The functions include but not limited to: NtQuerySystemInformation * SystemModuleInformation Programs under medium integrity are not able to invoke functions such as NtQuerySystemInformation to obtain addresses of kernel modules, kernel objects or pools. It is an effective method against exploitation using Return-oriented Programming (ROP) attack.īeginning with Windows 8, KASLR is enhanced with a newly introduced function ExIsRestrictedCaller. In Windows Vista and above, Microsoft enable Kernel Address Space Layout Randomization (KASLR) by default to prevent exploitation by placing various objects at random addresses, rather than fixed ones. I selected a small part from the work in the past few months to spread out this topic. I had already show how to fuzz the windows kernel via JS, today we will introduce a new method to discover windows kernel vulnerabilities automatically without fuzzing. This Patch-Tuesday MS fixed 6 kernel information leak vulnerabilities reported by us, the details are at the end of this article.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |