Crashing Your Way to Medium-IL: Exploiting the PDB Parser for Privilege Escalation

The presentation discusses the exploitation of a vulnerability in the Windows operating system using fuzzing and a type confusion vulnerability in the debug help library. The speaker explains how they were able to bypass the enhanced protected mode sandbox in Internet Explorer and run code at medium level.

• The speaker used fuzzing to find a vulnerability in the debug help library in Windows
• They exploited a type confusion vulnerability in the library to bypass the enhanced protected mode sandbox in Internet Explorer
• The exploit allowed the speaker to run code at medium level
• The speaker split the exploit functionality into two pdb files, one to spray the memory of wherefold and the other to trigger the vulnerability
• The speaker was able to spray the memory of wherefold by creating a large pdb file with a repeated pattern and mapping it into memory using the map view of file API
• The bug help library maps the entire pdb file into memory regardless of its size and does not unmap it until sim initialize exits
• The speaker was able to hijack the execution flow and call any absolute address they wanted in the context of wherefold

The speaker found that if a 32-bit executable crashes, the 32-bit version of wherefold is spawned for crash handling, making exploitation of the vulnerability much easier. They were able to spray the memory of wherefold by creating a large pdb file with a repeated pattern and mapping it into memory using the map view of file API. By splitting the exploit functionality into two pdb files, the speaker was able to trigger the vulnerability in the context of wherefold and run code at medium level.

If you have ever done Windows debugging or crash dump analysis, you must be familiar with PDB files. These files store debugging information (or 'symbols') about a program, and are parsed by debuggers such as WinDBG and Visual Studio. Researching the parser for those files, implemented by DbgHelp.dll, I discovered several memory corruption vulnerabilities.One attack surface for triggering these vulnerabilities is serving malformed PDBs through a remote symbol server to a debugger. I reported the issue to Microsoft MSRC, and they decided it doesn't meet the bar for security servicing because the attack surface is too complex. This led me to discover another attack surface, allowing me to use the exact same parsing bug for escalating privileges locally (fixed as CVE-2021-24090). I created a full exploit demonstrating a low-IL process gaining medium-IL privileges.In this talk, I will describe the vulnerability discovery process and then go into detail about how the bug can be exploited. The exploit bypasses several OS-level mitigations such as ASLR, Heap hardening and CFG.