44CON2022

Microsoft Security Response Center receives and examines many interesting bug classes. Often, the exploitability of those bugs is apparent, but this is not always the case. One interesting outlier is an arbitrary kernel pointer read primitive where the attacker cannot retrieve the content of the memory read. Traditionally, these would have an impact of Denial of Service (DoS) or in some cases a second-order Kernel Memory Information Disclosure (where side channels or indirect probing are possible) but could such a limited primitive actually be exploited for code execution / privilege escalation?

In this talk we will discuss how new exploitation primitives may be possible by targeting Memory Mapped I/O (MMIO) ranges of peripheral device drivers with an arbitrary read primitive. We’ll give examples of such primitives submitted to MSRC and then discuss a new avenue of attack against both the kernel and the hypervisor. We’ll discuss how to identify drivers of interest for further vulnerability research, including using WinDbg to instrument allocators. We’ll discuss some patterns we consider dangerous and the internals of some reliant devices that could be targeted with these observations.