I figured that it might be worth releasing the “The story of CVE-2011-2018 exploitation” as a stand-alone, nicely formatted paper for your reading convenience. It was previously released in the Hack in The Box Magazine #8 over a month ago (see announcement blog post). In short words, the paper is a guide through the exploitation process of a subtle, yet very interesting vulnerability in the Windows kernel, patched by Microsoft in December 2011. Without further ado, the full document can be downloaded at: cve_2011_2018.pdf (607kB).
Exploitation of Windows kernel vulnerabilities is recently drawing more and more attention, as observed in both monthly Microsoft advisories and technical talks presented on public security events. One of the most recent security flaws fixed in the Windows kernel was CVE-2011-2018, a vulnerability which could potentially allow a local attacker to execute arbitrary code with system privileges. The problem affected all – and only – 32-bit editions of the Windows NT-family line, up to Windows 8 Developer Preview. In this article, I present how certain novel exploitation techniques can be used on different Windows platforms to reach an elevation of privileges through this specific kernel vulnerability.