tags:lpewindowskernel original link: Chaining N-days to Compromise All: Windows Driver LPE: Medium to System newsletter link: exploits.club Weekly Newsletter 16
Exploits Club Summary:
Theori is back again, this time with the third write-up of their 6 bug N-day full chain. Previously, the team detailed how they compromised the browser and escaped the sandbox. In this post, they continue with the attack chain by escalating privileges through a logic bug inÂ
mkssrv.sys. The vulnerability itself stems from the ability to lock a Memory Descriptor List area at an arbitrary address, âincluding the kernel address space from a user applicationâ. The post goes into detail on MDLs, the vulnerability, reaching the code path from userspace, and exploitation.
backlinks: Chaining N-days to Compromise All - Part 1 â Chrome Renderer RCE Chaining N-days to Compromise All - Part 2 â Windows Kernel LPE (a.k.a Chrome Sandbox Escape)