Off-By-One 2024 Day 2 - Win32k Vulnerability Dead Taking win32k Exploitation To The Next Level

Abstract

As a well-known attack surface in Windows system, the Win32k has caused many security problems in history. But with the efforts of Microsoft and security researchers, peoples believe that Win32k has become secure enough that it’s no longer harmful.

Especially with the continuous updates of the mitigation measures added by Microsoft, vulnerabilities in Win32k have become difficult to exploit, It has caused attackers to lose interest in the Win32k.

In this topic, we will present the results of our work, which will completely bypass all security mitigation mechanisms and revitalize the ancient attack surface of the Win32k, so we named it “Next Level”.

More specifically, We will present 5 Win32k vulnerabilities we discovered, which can lead to privilege escalation not only in normal environments. And it can also be used in the sandbox environment, causing the escape of the security sandbox.

Also, we will introduce the various restrictions Microsoft has imposed on Win32k and how to bypass them.

Finally, we will also summarize whether there is universality in vulnerability exploitation and vulnerability mining methods, and what suggestions we have for future win32k security.

Speakers
YanZiShuang is a Windows security researcher at CyberKunlun. His main research areas are Web and OS, Red Team and Penetration Testing.

Follow Yan on X @ YanZiShuang

Deng YunLong is a reseacher specialising in Windows Security, Tor traffic and Deep learning methods. He is currently attached to the information security laboratory at WTU.