Blog

CVE-2021-34462 is a logic-error vulnerability in the Windows AppXSvc service, a service generally used for providing an infrastructure support for deployment of store applications in Windows. This vulnerability was used to win the Windows EoP category of Pwn2Own 2021. The technical details was subsequently presented at BlackHat Europe 2021 and is a very good read. So, this blog post serves as a documentation for our analysis of the vulnerability and exploitation development effort for CVE-2021-34462.

First, we discuss the root-cause analysis of this vulnerability. Then we describe how it can be reliably exploited to escalate user privileges and obtain NT AUTHORITY\SYSTEM.

CVE-2022-42266: NVIDIA GPU Display Driver Kernel Information Disclosure Vulnerability

The NVIDIA GPU Display Driver nvlddmkm.sys does not properly validate user-supplied buffer from function D3DKMTEscape(), leading to a disclosure of specific kernel object pointer to the user with crafted input data.

Reference: https://nvidia.custhelp.com/app/answers/detail/a_id/5415

CVE-2022-34683: NVIDIA GPU Display Driver Null-Pointer Dereference Vulnerability

The NVIDIA GPU Display Driver nvlddmkm.sys does not properly validate user-supplied buffer from function D3DKMTEscape(), leading to a null-pointer dereference BSOD with crafted input data.

Reference: https://nvidia.custhelp.com/app/answers/detail/a_id/5415

CVE-2022-31693: VMWare Tools for Windows Denial-of-Service Vulnerability

The VMware Tools for Windows driver vm3dmp.sys does not properly validate user-supplied buffer from functions D3DKMTCreateAllocation() and D3DKMTRender(), leading to specific kernel mode exception and BSOD the guest system. If the undocumented svga.wddm.enableCmdErrorBSOD flag is disabled, the driver will page-fault on an internal context object instead.

Reference: https://www.vmware.com/security/advisories/VMSA-2022-0029.html

In the security updates of June 2021, Microsoft patched a heap buffer overflow in the Windows Defender mpengine.dll assigned as CVE-2021-31985.

In this blog post, first we recap the root-cause analysis of this vulnerability. Next we discuss how CVE-2021-31985 can be exploited based on the In-the-Wild (ITW) sample of CVE-2021-1647. Finally we end this blog post with a parting remark on how a change in an object layout from mpengine.dll 1.1.18100 onwards breaks the exploitation technique used here.

In the security updates of April 2022, Microsoft patched two vulnerabilities (CVE-2022-24481 and CVE-2022-24521) in the CLFS.sys driver. The CLFS kernel component first gain popularity as an attack vector to escape browser sandboxes in 2016. Since then, although this feature is now disabled in popular sandboxes, it is still being frequently abused to escalate privileges locally in Windows.

In this blog post, we analyse the root-cause for one of the vulnerabilties and also discuss how it could be trivially and incredibly reliable to be exploited.

CVE-2020-9715 is a use-after-free vulnerability of the ESObject object that was reported via the Zero Day Initiative and patched in Adobe Security Bulletin APSB20-48. ZDI had released an analysis of this vulnerability and also outlined the exploit strategy.

In this 13-months-late write-up, we discuss the actual steps that we used to develop the exploit as a fun exercise.

CVE-2020-17087 is a pool overflow vulnerability in Windows CNG.sys driver that was discovered to be exploited in the wild. Although there have been root-cause analyses of the vulnerability, its exploitation technique is still relatively unknown. The most notable information was the disclosure by Google Project Zero (GP0) that the ITW sample "uses the buffer overflow to establish an arbitrary read / write primitive in the kernel space with the help of Named Pipe objects".

In this blog post, we describe how this vulnerability could be exploited based on the BlockSize attack method of Windows 10 Segment Heap.

The Event Tracing for Windows (ETW) mechanism allows the logging of kernel or application-defined events for debugging purposes. Developers are able to start and stop event tracing sessions, instrument an application to provide trace events, and consume trace events by calling the ETW set of user-mode Windows APIs. Eventually these will lead to corresponding syscall requests to the kernel (ntoskrnl.exe) to perform the functionalities.

In the ETW request to update periodic capture state, under specific conditions, there exist an use-after-free vulnerability whereby an attacker is able to controllably allocate a 0x30-bytes buffer, free it and reuse this buffer subsequently to execute arbitrary code.