Exploiting a Windows 10 PagedPool off-by-one overflow (WCTF 2018)

During the weekend of 6-8th of July, our CTF team – Dragon Sector – played in an invite-only competition called WCTF, held in Beijing. The other participants were top-tier groups from around the world (e.g. Shellphish, ESPR, LC↯BC or Tokyo Westerns), and the prize pool of the contest was a stunning $100,000 USD. One particularly unique rule of the CTF was that the challenges were prepared by the teams themselves and not the organizers. Each of the 10 teams was obligated to provide two tasks, at least one of which had to run on Windows. This meant that each team could capture a maximum of 18 flags set up by the other teams in the room. In practice, the structure of the contest incentivized submitting extremely difficult and complex challenges. Remote help was allowed, and the scoring system offered first blood bonus points for being the first, second and third team to solve a task. The hacking part of the event was followed by a soft part, where additional points were granted by a jury and the participants for presenting one’s own tasks on stage.

After two days of though competition, we came out as the runner up of the CTF with 6/18 tasks solved, behind the winner – Tokyo Westerns (7/18 tasks):

Read more

Wrapping up the kernel infoleak research with a whitepaper

Following the previous post in June last year, I continued to actively work on Bochspwn Reloaded, a Bochs-based tool designed to detect leaks of uninitialized memory from kernels to the user address space. In addition to my talk at REcon Montreal 2017 (slides, video), I also gave similar presentations at Black Hat USA 2017 (slides, video) and a Polish event called Security PWNing Conference held in Warsaw (slides in Polish).

Since then, I improved and polished various parts of the instrumentation and testing environment, which led to new waves of Windows bugs being reported to Microsoft in several iterations throughout the year. The most significant advancements I made during this time are as follows:

  • Implemented support for x64 guest systems and used it to identify 17 new Windows bugs specific to the 64-bit platform.
  • Developed and evaluated a taint-less method of detecting leaks to mass storage devices, which helped find a number of bugs in the Windows NTFS.sys file system driver.
  • Implemented a test suite of programs to automatically test the NtQuery system call family on Windows, which uncovered new issues in a total of 14 syscalls across 23 different information classes.
  • Tested other types of instrumentation aimed to detect problems related to user↔kernel communication, such as kernel address disclosures through double-writes.

Read more