35th Chaos Communication Congress

Exploiting Kernel Memory Corruptions on Microsoft Windows 10 RedStone 5
2018-12-27 , Dijkstra
Language: English

This talk is about new challenges in exploiting kernel memory corruptions on brand new Microsoft Windows RedStone 5.


Each new version of Windows OS Microsoft enhances security by adding security mitigation mechanisms - Kernel land vulnerabilities are getting more and more valuable these days. For example, the easy way to escape from a sandbox is by using a kernel vulnerability. That's why Microsoft struggles to enhance security of Windows kernel.

Kernel pool allocator plays a significant role in security of whole kernel. Since Windows 7, Microsoft started to enhance the security of the Windows kernel pool allocator. In Windows 8, Microsoft has eliminated almost all reliable (previously published) techniques of exploiting kernel pool corruptions.

Then Microsoft eliminated "0xBAD0B0B0" technique in Windows 8.1, and there was no easy technique to exploit Pool Overflows on Windows 8.1

Then DKOM/DKOHM technique was present that gave really nice primitives(arbitrary read/write/execute) for kernel exploitation.

Following up Microsoft obfuscated TypeIndex in an object header leaving DKOM/DKOHM technique useless.

But Microsoft left unprotected optional headers that gave born to DKOOHM technique.

Sadly enough, Microsoft introduced brand new Kernel Memory Allocator on Windows 10 RS5 leaving current pool memory manipulation techniques useless.

This talk presents new techniques of exploiting kernel memory corruptions on Windows 10 RS5.