

Windows 8 Kernel Memory Protections Bypass - flurpitude
https://labs.mwrinfosecurity.com/blog/2014/08/15/windows-8-kernel-memory-protections-bypass/

======
acqq
So it's just an "if we would have a hole, we could use it." They used the
"recently patched" hole (that is, the unpatched system) for their submission
to Microsoft, and the custom kernel driver they crafted for this article.
Unsurprisingly, Microsoft's response was "yes, we know, no, you don't
qualify."

~~~
Someone1234
It is an impressive piece of research that bypasses several key pieces of
kernel protection. It could definitely be utilised by a kernel mode exploit in
the future to expand limited access into a full blown piece of running kernel
code.

I don't really have an opinion on Microsoft's response one way or the other.
They get to set the rules on their own bug bounty and that is that. Also to
fix this would almost certainly require a large scale kernel re-write (as the
article itself alludes to).

~~~
acqq
As far as I understand, their demo is dependent on their _kernel mode driver_
through which a user mode application can write to _any memory address_ with
the "root" privileges.

So it demonstrates that if you already have the "root" "write" privileges, you
can bypass the protections provided by the kernel. I fail to see what exactly
is impressive then.

Raymond Chen would probably cite the following segment from "The Hitchhiker's
Guide to the Galaxy"

""We're trapped now aren't we?"

"Yes," said Ford, "we're trapped."

"Well didn't you think of anything? I thought you said you were going to think
of something. Perhaps you thought of something and didn't notice."

"Oh yes, I thought of something," panted Ford. Arthur looked up expectantly.

"But unfortunately," continued Ford, " _it rather involved being on the other
side of this airtight hatchway._ " He kicked the hatch they'd just been
through."

------
twoodfin
In case you're a little confused, as I was, by the step from "can tag
arbitrary user memory as kernel executable" to "get the kernel to execute it",
the technique used by the PoC is (apparently) well-known enough not to
mention:

[http://poppopret.blogspot.com/2011/07/windows-kernel-
exploit...](http://poppopret.blogspot.com/2011/07/windows-kernel-exploitation-
basics-part.html)

Short version: You can overwrite a function pointer entry in the HAL dispatch
table that will be called by NtQueryIntervalProfile().

~~~
umanwizard
They allude to this in the introduction: "requires only a single vulnerability
that provides an attacker with a write-what-where primitive"

------
pwnfl4k3s
the point of this is simple: if you have a kernel vulnerability that allows
you to construct a write-what-where primitive (or even something lower like an
arbitrary inc/dec, although it is most of the time possible to transform
vulnerabilities into the former mentioned), you are able to turn it into a
fully blown kernel-mode code-execution using that technique. this is what
bypassing mitigation-techniques is all about: turning a vulnerability into
code-execution. in particular, the technique eliminates the need to use ROP in
order to bypass SMEP and DEP, this is why it is a big deal. the only reason
that it was not considered eligible for microsofts Bluehat-Program is the fact
that it is a kernel-land mitigation bypass, not a userland one.

~~~
drvdevd
What seems even more interesting about it, is that it's directly related to
the paging structures in x64, making it potentially applicable to kernel mode
exploit mitigations on any OS running there (MacOS X for example).

It's a great example of why kernel mode exploit mitigation is unlikely to ever
reach the same level of effectiveness as in user mode.

------
thefreeman
The blog post mentions PoC code but I couldn't find it linked anywhere? Anyone
find it?

------
tormeh
A meta question: Why is this post so high on HN? It's not particularly new and
it doesn't have particularly many upvotes. Does HN have a list of
websites/blogs it prefers? I'm not saying this post is bad though it is
outside my field of interest, but I don't really understand the ranking
mechanism.

~~~
j_s
I did not see anything on your profile to contact you directly, so I will
share this here:

How Hacker News ranking really works
[https://news.ycombinator.com/item?id=6799854](https://news.ycombinator.com/item?id=6799854)
(~9 months old)

How Hacker News ranking algorithm works
[https://news.ycombinator.com/item?id=1781013](https://news.ycombinator.com/item?id=1781013)
(~4 years old)

Hacker News Charts and Data
[https://news.ycombinator.com/item?id=8075216](https://news.ycombinator.com/item?id=8075216)
(~1 month old)

Hacker News Rankings [http://hnrankings.info/](http://hnrankings.info/)

