Confidence - (28-29.05 2013 Krakow)
Language: polski | engish

Nikita Tarakanov

Bio: Nikita Tarakanov is an independent information security researcher who has worked as an IS researcher in Positive Technologies, VUPEN Security and CISS. He likes writing exploits, especially for Windows NT Kernel and won the PHDays Hack2Own contest in 2011 and 2012. He also tried to hack Google Chrome during Pwnium 2 at HITB2012KUL but failed. He has published a few papers about kernel mode drivers and their exploitation and is currently engaged in reverse engineering research and vulnerability search automation.

Topic of Presentation:
Exploiting Hardcore Pool Corruptions in Microsoft Windows Kernel


Each new version of Windows OS Microsoft enhances security by adding security mitigation mechanisms.

Kernel land vulnerabilities are getting more and more valuable these days. For example, the easy way to escape from a sandbox (Google Chrome sandbox for example) is by using kernel vulnerability.

That’s why Microsoft struggles to enhance security of Windows kernel. Kernel Pool allocator plays significant role in security of whole kernel. Since Windows 7 Microsoft started to enhance security of kernel pool allocator.

Kernelpool aka Tarjei Mandt has done great job on analyzing internals of kernel pool allocator, which includes great attack techniques, mitigations bypasses etc. In windows 8 Microsoft has eliminated almost all reliable techniques of exploiting kernel pool corruptions. However, attack techniques by Tarjei need a lot of prerequisites to get success. There are a lot of types of pool corruptions where these techniques don’t work, unfortunately.

What if there is no control over overflown data?
What if there is constant(zero bytes) and you have no chance to apply one of Tarjei’s techniques?
What if there is uncontrolled continuous overflow and #PF and BSOD is unavoidable?

So what to do?
Commit suicide instantly?


Come and see this talk!

This talk presents technique of 100% reliable exploitation of kernel pool corruptions.
This unique technique works since NT 4.0 to Windows 8 including.