Kernel Streaming emerged as a new attack surface in the Windows kernel last year, leading to numerous in-the-wild exploits. Over the past year, we also uncovered “proxying to kernel”, a logical bug class that circumvents many privilege checks in the kernel, making exploitation very straightforward. However, this is just the tip of the iceberg for Kernel Streaming.
This time, we drive our focus to one of the most common input source to Kernel Streaming - frames from a webcam. What if a carefully crafted frame doesn’t just get played as an image, it also “plays” with your memory? In this presentation, we’re going to reveal a new array of bug classes, from which we’ve identified more than 10 vulnerabilities. We’ll talk about the design flaws that led to them, how they might look unexploitable at first glance, and how we turn some of them into arbitrary physical memory writes.
By the end of this talk, the attendees will learn elegant exploitation techniques to bypass most of modern kernel mitigations, along with methodologies for identifying and analyzing similar vulnerability patterns. By witnessing firsthand the true power of these bug classes, attendees will not only be able to discover more local privilege escalation vulnerabilities in Windows, but also better defend against them.
An-Jie Yang, aka Angelboy, is a senior security researcher of DEVCORE and a member of CHROOT security group from Taiwan. He is a vulnerability researcher focusing on Windows kernel related security. He participated in a lot of CTF, such as HITB, DEFCON, Boston key party and won 2nd in DEFCON CTF 25/27 with HITCON CTF Team. In the past two years, he has pwned several products in Pwn2Own Mobile. He also won the title of the “Master of Pwn” at Pwn2Own Toronto 2022 with the DEVCORE team. He has spoken at several conferences such as HEXACON, HITCON, VXCON, AVTokyo, HITB GSEC.
You can find him on Twitter @scwuaptx.
