This course teaches participants how to exploit logic vulnerabilities in Windows system services using reparse points, specifically mount point and symlink. The course covers discovering unique vulnerabilities, bypassing mitigations, and exploiting memory corruption vulnerabilities to achieve privilege escalation. The teaching method includes a presentation showcasing a 0-day logic vulnerability that won the Windows EoP category in Pwn2Own 2021. The intended audience for this course includes cybersecurity professionals, ethical hackers, and individuals interested in understanding advanced exploitation techniques in Windows systems.
From Logic to Memory - Winning the Solitaire in Reparse Points
Overview
Syllabus
black hat EUROPE 2021
Reparse Points
File Redirection Attacks
File Redirection Mitigations #3
Make the exploitation harder
The unique vulnerability discovery strategy
Reset Solitaire
Root cause: vulnerable code
Challenges
Re-visit the vulnerability
File Operations Timeline
Race Window #0
Success rate expectation
Stability, stability, stability!
Reparse Data Structure
Reparse Point Tag
The memory corruption vulnerability model
Find the target - dynamic
Memory corruption vulnerability examples
Desktop bridge activation
Create the client
Read reparse point in Appinfo service
Set reparse point for OOB read
Out of bounds read crash
Race condition
MSRC response and timeline
The new attack surface impact
Future bug hunting insights
Summary
Taught by
Black Hat
Related Courses
-
Hey Man, Have You Forgotten to Initialize Your Memory?
-
Extreme Privilege Escalation on Windows 8 - UEFI Systems
-
Crashing Your Way to Medium-IL - Exploiting the PDB Parser for Privilege Escalation
-
Rootten Apples - Vulnerability Heaven in the iOS Sandbox
-
The Rise of Potatoes - Privilege Escalations in Windows Services
-
Falling Dominoes Pt. 2
