The Journey of Hunting In-the-Wild Windows LPE 0day

The presentation discusses the detection and analysis of Windows LP vulnerabilities and provides insights into future trends of in the wild Windows LP 0-day.

• The presentation shares three cases of Windows LP vulnerabilities that were caught and analyzed.
• The presentation provides detection suggestions for Windows LP vulnerabilities.
• Insights into future trends of in the wild Windows LP 0-day are discussed.

The presentation shares an interesting case of a vulnerability caused by unbalanced reverse count on C interaction tracker binding manager object in dwm code. The steps to trigger this vulnerability are explained in detail.

From 2017 to 2021, Microsoft disclosed a total of 28 in-the-wild Windows LPE 0days, most of which are Windows kernel LPE vulnerabilities. These vulnerabilities are often used by top level APT and could cause great harm. For security vendors, it is very challenging to capture an in-the-wild Windows kernel LPE 0day. At the beginning of 2020, we made a decision to capture an in-the-wild Windows kernel LPE 0day. In order to achieve it, we studied a large number of historical cases. We then developed an effective Windows LPE vulnerability detection method.This talk will focus on our story of how to hunt in-the-wild Windows LPE during 2020 and 2021: why we think this is possible, how we study historical cases, how we use learning experience to develop a detection method, and how we continuously improve the method to make it more accurate and effective. By using this method, we successfully captured two in-the-wild Windows LPE 0day and an in-the-wild Windows LPE 1day.We will also compare the advantages and disadvantages of our method with other vendors' methods, and give some insights into the trend of Windows LPE 0day in the future.