44CON2022 has ended
Back To Schedule
Friday, September 16 • 1:30pm - 2:30pm
Andrew Ruddick - Exploring a New Class of Kernel Exploit Primitive

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Microsoft Security Response Center receives and examines many interesting bug classes. Often, the exploitability of those bugs is apparent, but this is not always the case. One interesting outlier is an arbitrary kernel pointer read primitive where the attacker cannot retrieve the content of the memory read. Traditionally, these would have an impact of Denial of Service (DoS) or in some cases a second-order Kernel Memory Information Disclosure (where side channels or indirect probing are possible) but could such a limited primitive actually be exploited for code execution / privilege escalation?

In this talk we will discuss how new exploitation primitives may be possible by targeting Memory Mapped I/O (MMIO) ranges of peripheral device drivers with an arbitrary read primitive. We’ll give examples of such primitives submitted to MSRC and then discuss a new avenue of attack against both the kernel and the hypervisor. We’ll discuss how to identify drivers of interest for further vulnerability research, including using WinDbg to instrument allocators. We’ll discuss some patterns we consider dangerous and the internals of some reliant devices that could be targeted with these observations.

avatar for Andrew Ruddick

Andrew Ruddick

Andrew is a Security Researcher on the Vulnerabilities & Mitigations team at the Microsoft Security Response Centre (MSRC). He has worked in computer software and hardware security for 8 years, with prior experience in software development. Andrew has particular expertise in low-level... Read More →

Friday September 16, 2022 1:30pm - 2:30pm BST
*Track 1*