Why so Spurious? How a Highly Error-Prone x86/x64 CPU "Feature" can be Abused to Achieve Local Privilege Escalation on Many Operating Systems

Conference:  BlackHat USA 2018



The presentation discusses a Windows kernel exploit and the steps taken to achieve it.
  • The exploit requires ring 0 privileges and involves overriding driver signing enforcement checks and stealing the system token for admin privileges
  • Undocumented structures and offsets are obtained through Microsoft symbol server
  • Security mitigations such as SMAP are disabled using rap gadgets
  • Memory manager is instructed to not page out necessary memory for the exploit to work
  • Hardware breakpoint is set and ASM function is executed to start the exploit
  • An anecdote is provided about the need for a cool name, graphics, and soundtrack for a vulnerability to gain attention
  • Tags: cybersecurity, Windows kernel, exploit, symbol server, rap gadgets, memory management
The presenters suggest that having a cool name, graphics, and soundtrack for a vulnerability can help gain attention. They mention that their exploit was named 'Why So Serious' and that a graphics designer was hired to create a graphic for it. They also note that all vulnerabilities seem to have great soundtracks these days.


There exists a "feature" in the x86 architecture that, due to improper programming by many operating system vendors, can be exploited to achieve local privilege escalation. At the time of discovery, this issue was present on the latest-and-greatest versions of Microsoft Windows, Apple's macOS, and certain distributions of Linux. This issue, very likely, impacts other operating systems on the x86 architecture.For both Intel and AMD CPUs, this vulnerability can be utilized to reliably and successfully exploit Windows 10 by replacing the access token of the current process with the SYSTEM token from an unprivileged and sandboxed usermode application. This results in local privilege escalation. On AMD hardware, if SMAP/SMEP is disabled, this vulnerability can be exploited without failure since arbitrary user-specified memory can be utilized in CPL 0.



Post a comment

Related work

Conference:  Defcon 31
Authors: Ron Ben-Yizhak Security Researcher at Deep Instinct

Conference:  Black Hat Asia 2023
Authors: Chiachih Wu, Yuan-Tsung Lo

Conference:  BlackHat USA 2018