Erik Egsgard

Almost Escaping the Sandbox: Attacking Windows Device Drivers


There are many local security boundaries in Windows where an attacker may want to elevate privileges. The lower the privilege level the less attack surface there is it to find vulnerabilities. Applications may make use of sandboxes, such as browser or AppContainer sandboxes, to limit the access of untrusted code. More difficult challenges can be more interesting for the security researcher and this presentation will examine approaches for identifying some of the attack surfaces available from a sandbox.

A common attack surface for privilege elevation in Windows is device drivers. While the number of devices available to sandboxed code is quite limited, it is greater than zero, which leads to a non-zero chance of finding bugs. This talk will look at the discovery of a recently patched vulnerability I found in a device driver and how to abuse it for privilege elevation.

Often when reading vulnerability write ups the bugs may seem obvious and the path to discovery fairly straightforward. In reality the hunt for exploitable vulnerabilities usually involves much frustration and chasing down promising looking leads that go nowhere. The presentation will cover the bug hunting journey in more detail hopefully leaving the aspiring researcher with a don't give up attitude.


Erik Egsgard is a Principal Security Developer with Field Effect. With almost 20 years experience in the computer security field he has found vulnerabilities across a wide range of software and operating systems including Windows, MacOS, iOS and Android.