The Microsoft Windows graphics subsystem is a huge and complex subsystem that contains some extremely important components such as the font engine, window manager, graphics device interface and more. In recent years, we have seen several nice kernel exploits such as CVE-2015-2455 (TTF), CVE-2016-0173 (Surface), CVE-2017-8465 (Cursor) and it’s clear that Microsoft is constantly increasing the mitigations for the Windows kernel.
About a year and a half ago, Tencent ZhanluLab started to look into the Windows graphics subsystem for sandbox escapes and to date we have discovered 15+ kernel vulnerabilities and successfully exploited Windows 10 from the Edge sandbox several times. This talk will be divided into two parts.
In the first part, we will explain in detail how we analyze the graphics subsystem in depth and discuss several special attack vectors we have found.
In the second part, will discuss the syscall filter mechanism of the Edge sandbox and introduce three methods to escape from the sandbox to SYSTEM from the Edge content process. These include:
1. Analyzing object actions from the unfiltered syscall functions
2. Abusing a bug in the Chakra engine to bypass syscall filters
3. Fuzzing the DxgkInterface functions
We have written full exploits for each method and the details of these vulnerabilities will also be disclosed in the presentation.