Cedric Halbronn and Jael Koh

Hunting for overlooked cookies in Windows 11 KTM and baking exploits for them

Abstract

The Windows Kernel Transaction Manager (KTM) driver is a widely accessible yet critically overlooked attack surface.

Thanks to prior research by Cedric Halbronn and Aaron Adams into an in-the-wild KTM exploit, (CVE-2018-8611) most of KTM's internals have been well documented - except two objects.

After attending Cedric's "Windows Exploit Engineering Foundation" training, Jael Koh investigated these two objects. To his surprise, Jael ended up discovering and reporting two Use-After-Free vulnerabilities in KTM within a span of three weeks. Microsoft has since fixed both vulnerabilities in the October 2024 Patch Tuesday Update. (CVE-2024-43570 and CVE-2024-43535).

This talk, presented jointly by Jael and Cedric, will showcase the journey uncovering these vulnerabilities and the challenges in exploiting them on Windows 11.

BIO

Cedric Halbronn (@saidelike) is a security researcher with over 15+ years of experience. He has been exploiting lots of different targets: mobile phones, Windows, Linux, firewalls, printers, routers, NAS with a focus on reliability and usability. He has won Pwn2Own in 2021 and 2022. He has been speaking at many security conferences (OffensiveCon, Hexacon, RECon, HITB, etc.) and is the author of the "Windows Exploit Engineering Foundation" training.

Jael Koh (@_jaelkoh) is a Security Researcher at PixiePoint Security. He specializes in reverse engineering and exploit development, with a primary focus on Microsoft Windows internals.