Kernel Pool Exploitation on Windows 7

As some of you already may have noticed, I’ll be speaking at Black Hat DC this year. The talk is titled Kernel Pool Exploitation on Windows 7 and covers the inner workings of the Windows 7 kernel pool (data structures, algorithms, etc.) and its susceptability to exploitation in face of pool corruption vulnerabilities. As we all know, kernel pool exploitation became measurably more difficult on Windows 7 due to safe unlinking. If you’re interested in kernel/driver vulnerabilities and their exploitability, you should¬†definitely¬†stop by January 19th and follow me (@kernelpool) on Twitter :-) The presentation abstract is as follows.

In Windows 7, Microsoft introduced safe unlinking to the kernel pool to address the growing number of vulnerabilities affecting the Windows kernel. Prior to removing an entry from a doubly-linked list, safe unlinking aims to detect memory corruption by validating the pointers to adjacent list entries. Hence, an attacker cannot easily leverage generic “write 4” techniques in exploiting pool overflows or other pool corruption vulnerabilities. In this talk, we show that in spite of the efforts made to remove generic exploit vectors, Windows 7 is still susceptible to generic kernel pool attacks. In particular, we show that the pool allocator may under certain conditions fail to safely unlink free list entries, thus allowing an attacker to corrupt arbitrary memory. In order to thwart the presented attacks, we conclusively propose ways to further harden and enhance the security of the kernel pool.

Update (2011-02-04): The slides and whitepaper have been made available for download here.

Comments are closed.