OP 18 October, 2024 - 06:19 PM
Over the past few decades, vulnerabilities in the Windows Kernel have emerged frequently. The popular attack surface has gradually shifted from Win32k to CLFS (Common Log File System). Microsoft has continuously patched these vulnerabilities, making these targets increasingly secure. However, which component might become the next attack target? Last year, MSKSSRV (Microsoft Kernel Streaming Service) became a popular target for hackers. This research will discuss an overlooked attack surface that allowed us to find more than ten vulnerabilities within two months.
Again "Untrusted Pointer Dereference" similar to the bug in appid.sys that was in our contest . If for some reason you did not have time to participate then, you can try to write a 1-day for this vulnerability, and for the rest - this is an opportunity to consolidate the material (kCFG bypass) and learn something new.
I think many will like the part with obtaining SeDebugPrivilege through arbitrary increment.
If you suddenly decide to plunge your head into this swamp, then to study the work of this subsystem there is a utility KsStudio , which I have never heard of and came across purely by chance. It comes with WDK and in my opinion is informative - it complements the article and documentation.
![[Image: 1727640984345.png]](https://i.ibb.co/Lv8C0vN/1727640984345.png)
Be sure to check out how the guys got out of a difficult situation when exploiting arbitrary increment in the second part.
In short, they rewrote the value of the variable SeDebugPrivilegein the PAGEDATA section from 0x14 to 0x17.
In fact, this allowed an unprivileged user, who by default had the right SeChangeNotifyPrivilegeto pass the check PsOpenProcessand be promoted.
![[Image: 1728229435824.png]](https://i.ibb.co/sp7GgQd/1728229435824.png)
Again "Untrusted Pointer Dereference" similar to the bug in appid.sys that was in our contest . If for some reason you did not have time to participate then, you can try to write a 1-day for this vulnerability, and for the rest - this is an opportunity to consolidate the material (kCFG bypass) and learn something new.
I think many will like the part with obtaining SeDebugPrivilege through arbitrary increment.
If you suddenly decide to plunge your head into this swamp, then to study the work of this subsystem there is a utility KsStudio , which I have never heard of and came across purely by chance. It comes with WDK and in my opinion is informative - it complements the article and documentation.
Be sure to check out how the guys got out of a difficult situation when exploiting arbitrary increment in the second part.
In short, they rewrote the value of the variable SeDebugPrivilegein the PAGEDATA section from 0x14 to 0x17.
In fact, this allowed an unprivileged user, who by default had the right SeChangeNotifyPrivilegeto pass the check PsOpenProcessand be promoted.
![[Image: Nuttela-Signature.gif]](https://i.ibb.co/VT79K5v/Nuttela-Signature.gif)
![[Image: Sig.png]](https://i.ibb.co/xh4Mcd3/Sig.png)
![[Image: PeAsULK.gif]](https://i.imgur.com/PeAsULK.gif)