Discovering 20 Year Old Vulnerabilities in Modern Windows Kernel

Conference:  BlackHat EU 2020



The presentation discusses the discovery of 20-year-old vulnerabilities in the modern Windows kernel, specifically in the user-mode print driver (UMPD) component.
  • Introduction to the print driver model in Windows system
  • Explanation of the UMPD callback and its potential for creating a large attack surface
  • Disclosure of two previously undiscovered vulnerabilities in UMPD
  • Takeaways include the importance of understanding the components used daily and the potential for discovering vulnerabilities in old code
The speaker shared their experience of designing a special fuzzer for the UMPD, which effectively found multiple vulnerabilities in the Windows graphics kernel. They also disclosed the details of two fixed vulnerabilities to reveal the security impact of the UMPD attack surface.


With the continuous upgrade by Microsoft, the latest windows 10 version has become more and more powerful and supports more and more features. On the other hand, certain components always exist in windows system, such as printer driver.The function of the print driver consists of the GDI kernel and the user-mode printer driver.Printer Driver is too old, it turned out that few people payed attention to the security issues for it. However, the interaction between UMPD(user mode printer driver) and GDI kernel created a big attack surface.This talk presents how we found some novel and unique vulnerabilities in ancient windows code. In particular, we designed a special fuzzer for the user-mode print driver, which effectively found multiple vulnerabilities in windows graphics kernel. We will introduce the design idea and implement skills used in the fuzzer, and disclose the details of the two fixed vulnerabilities to deeply reveal the security impact of the UMPD attack surface.