Each new version of Windows OS Microsoft enhances security by adding security mitigation mechanisms -- Kernel land vulnerabilities are getting more and more valuable these days. For example, the easy way to escape from a sandbox (Google Chrome sandbox for example) is by using a kernel vulnerability. That's why Microsoft struggles to enhance security of Windows kernel.
Kernel Pool allocator plays significant role in security of whole kernel. Since Windows 7, Microsoft started to enhance the security of the Windows kernel pool allocator. Tarjei Mandt aka @kernelpool has done a great job in analyzing the internals of the Windows kernel pool allocator and found some great attack techniques, mitigations bypasses etc. In Windows 8 however, Microsoft has eliminated almost all reliable techniques of exploiting kernel pool corruptions. An attack technique by Tarjei needs a lot of prerequisites to be successful and there are a lot of types of pool corruptions where his techniques don't work unfortunately. What if there is no control over overflown data? What if there is constant (zero bytes) and you have no chance to apply one of Tarjei's techniques? What if there is uncontrolled continuous overflow and #PF and BSOD is unavoidable?
So what to do? Commit suicide instantly? NO! Come and see this talk! We present a technique of 100% reliable exploitation of kernel pool corruptions which covers all flavors of Windows from NT 4.0 to Windows 8.
ABOUT NIKITA TARAKANOV
Nikita Tarakanov is an independent information security researcher who has worked as an IS researcher in Positive Technologies, VUPEN Security and CISS. He likes writing exploits, especially for Windows NT Kernel and won the PHDays Hack2Own contest in 2011 and 2012. He also tried to hack Google Chrome during Pwnium 2 at HITB2012KUL but failed. He has published a few papers about kernel mode drivers and their exploitation and is currently engaged in reverse engineering research and vulnerability search automation.
Uploader: Hack In The Box Security Conference