This talk will discuss how CVE-2018-8611 can be exploited to achieve privilege escalation on Windows 10 1809 (RS5) and earlier. This research was done without getting a chance to analyze the in-the-wild 0day exploit that lead to the bug being patched by Microsoft, but rather by patch diffing and following some minimal public information as a starting point.
The following steps will be detailed: race condition -> use-after-free -> memory disclosure -> increment primitive -> arbitrary read -> arbitrary write -> privilege escalation
This presentation will go through the following:
- Windows Kernel Transaction Manager (KTM) internals
- Analyzing and winning the CVE-2018-8611 race condition vulnerability
- Abusing a fairly restrictive while loop to build a limited write primitive
- Building an arbitrary read primitive
- Escalating privileges and escaping the loop
Cedric has 10+ years experience with exploit development, and while at NCC Group working in the Exploit Development Group (EDG) has published some public research related to exploiting Cisco ASA, Windows kernel.