tags:windowslpekernelstreaming_servicedouble_fetcharbitrary_increment original link: Streaming vulnerabilities from Windows Kernel - Proxying to Kernel - Part II newsletter link: exploits.club Weekly Newsletter 42 - Glitching With A Lighter, Pixel 9 Baseband Security, Node.js Pipe Madness, And More
Exploits Club Summary:
Following up their blog post a little over a month ago, DEVCORE have returned with more bugs in the kernel streaming attack surface. After Pwn2Own, the team took a look KS Event and identified a similar bug in which the conversion of a 32-bit request into a 64-bit one is mishandled. The post then details the ramifications of this, and how it can be used to perform a specific IOCTL with KernelMode. The team is able to convert this into an arbitrary increment primitive. After reviewing some of the traditional techniques one may use with this primitive, the team ends up working out their own exploit strategy to take this to full EoP.
backlinks: Streaming vulnerabilities from Windows Kernel (Part 1) - Proxying to Kernel