voidsec2023-06-14T18:11:22+02:00With this blog post I’d like to sum up my year-long Windows Drivers research; share and detail my own methodology for reverse engineering (WDM) Windows drivers, finding some possible vulnerable code paths as well as understanding their exploitability. I've tried to make it as "noob-friendly" as possible, documenting all the steps I usually perform during my research and including a bonus exercise for the readers.
Setting up the lab
While in the past, setting up a lab for kernel debugging was a...
Merry Hackmas: multiple vulnerabilities in MSI’s products
voidsec2023-06-14T18:03:34+02:00This blog post serves as an advisory for a couple of MSI’s products that are affected by multiple high-severity vulnerabilities in the driver components they are shipped with.
All the vulnerabilities are triggered by sending specific IOCTL requests and will allow to:
Directly interact with physical memory via the MmMapIoSpace function call, mapping physical memory into a virtual address user-space.
Read/write Model-Specific Registers (MSRs) via the __readmsr/__writemsr functions calls.
Read/write 1/2/4 bytes to or from an IO port.
An attacker could exploit...
voidsec2022-01-14T08:59:18+01:00NVIDIA GeForce Experience (GFE) v.<= 3.21 is affected by an Arbitrary File Write vulnerability in the GameStream/ShadowPlay plugins, where log files are created using NT AUTHORITY\SYSTEM level permissions, which lead to Command Execution and Elevation of Privileges (EoP).
NVIDIA Security Bulletin – April 2021
NVIDIA Acknowledgements Page
This blog post is a re-post of the original article “Chaining Bugs: CVE‑2021‑1079 - NVIDIA GeForce Experience (GFE) Command Execution” that I have written for Yarix on YLabs.
Some time ago I was looking for...
CVE-2020-1337 – PrintDemon is dead, long live PrintDemon!
voidsec2022-01-14T09:05:26+01:00Banner Image by Sergio Kalisiak
TL; DR: I will explain, in details, how to trigger PrintDemon exploit and dissect how I’ve discovered a new 0-day; Microsoft Windows EoP CVE-2020-1337, a bypass of PrintDemon’s recent patch via a Junction Directory (TOCTOU).
After Yarden Shafir’s & Alex Ionescu’s posts (PrintDemon, FaxHell) and their call to action, I’ve started diving into the PrintDemon exploit. PrintDemon is the catching name for Microsoft CVE-2020-1048: Windows Print Spooler Elevation of Privilege Vulnerability which is affecting (according to Microsoft),...