Windows kernel exploitation is a fascinating and challenging field of research that draws the attention of security researchers and attackers alike. The Windows kernel and its drivers are a vast and complex code base that offers many opportunities for discovering and exploiting vulnerabilities that can lead to system compromise and security mechanisms bypasses. This talk will explore the current state and evolution of Windows kernel security by analyzing and revealing two new exploits that were demonstrated at Pwn2Own this year, showing how kernel code execution was achieved on the latest versions of Windows.
First, the talk will focus on the Cloud Filter (cldflt.sys) component of Windows, which is responsible for syncing files with cloud storage providers. The methodology for analyzing, testing this complex driver, and finding a use-after-free vulnerability by fuzzing the exposed Filter Communication Port interface will be presented. The talk will then describe how the vulnerability was exploited by hijacking kernel code execution using gadget functions to defeat Control Flow Guard and escalate the privileges to SYSTEM.
The second part of this talk will review the current kernel mitigations, their weaknesses, and the future of kernel security. The presentation will discuss how kernel mitigations are evolving such as kernel space layout randomization (KASLR), supervisor mode access|execution prevention (SMAP & SMEP), control-flow enforcement technologies (CET & CFG), and eliminating common exploit vectors to demonstrate how the first exploit will break in the future.
The final part will present the second exploit, a logical bug that defeats most mitigations by allowing direct read and write access to kernel virtual memory. The vulnerability and exploit will be explained and demonstrated on stage.