logo

From Logic to Memory: Winning the Solitaire in Reparse Points

Conference:  BlackHat USA 2021

2021-11-11

Summary

The presentation discusses a new attack surface for memory corruption bugs in repulse points and introduces a unique bug hunting strategy.
  • The presentation introduces a new attack surface for memory corruption bugs in repulse points.
  • The speaker discusses a bug hunting strategy using both dynamic and static methods.
  • The presentation includes an anecdote about successfully exploiting a vulnerability in repulse points.
  • The speaker emphasizes the importance of careful handling of each field situation and cleanup for all open things.
  • The presentation also introduces some useful and universal exploit techniques for mitigation bypass in the future.
The speaker demonstrates the successful exploitation of a vulnerability in repulse points, resulting in a system cmd pop-up. The presentation emphasizes the importance of a reason thread and careful handling of each field situation and cleanup for all open things.

Abstract

In recent years, two types of reparse points: mount point and symlink are frequently used in file redirection vulnerabilities in Windows system services. Hundreds of logic vulnerabilities (from permanent DoS and info leak to privilege escalation) were discovered under this attack surface. Besides fixing those vulnerabilities, Microsoft also released many mitigations to make this bug class harder and harder to exploit successfully and stably. This presentation shows a 0-day logic vulnerability which bypasses all current mitigations with undisclosed exploit techniques and wins Windows EoP category in Pwn2Own 2021. All details, from finding the bug in one day with a unique vulnerability discovery strategy to winning a seemingly impossible race window stably, will be covered.But the story does not end here. Microsoft stopped granting bug bounties to that bug class and is releasing more and more mitigations to kill the bug class fully. It seems to be the end of the reparse points era, but things are not always that easy. There are over fifty types of tags in reparse points, mount point and symlink are only two of them. After exploring other tags in reparse points, several memory corruption EoP bugs were found among them. Interestingly, in our findings there is one function containing three kinds of bugs: out of boundary read, out of boundary write and race condition; more interestingly, the same vulnerable function appears in several different Windows components. We reported our findings to Microsoft and fastly got bug bounties from them to reward our new discoveries. Memory corruption EoP bugs in reparse points could lead to the native code execution in Windows system services and escalate the privilege to SYSTEM directly, all previous and future mitigations against logic EoP bugs in reparse points are useless. This presentation unveils this new and less noticed attack surface for memory corruption EoP bugs in reparse points.

Materials:

Tags: