Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Windows Kernel DoS/Privilege Escalation via a NULL Pointer Deref
Simon Zuckerbraun - ZDIPosted 5 Years Ago- The vulnerability is a NULL pointer dereference because of an assumption being made by the object being passed in. Essentially, the object expects for a particular type of handler to be there but does NOT require this. Without any validation the handler can be set to NULL to trigger a jump to address 0.
- Is this exploitable? It is a NULL pointer dereference after all. That is where the fun begins! In Windows, the NULL address is actually mapped for 16-bit processes under the
NTVDM subsystem, which is only available on 32-bit. So, it IS possible to execute code from there! - Well, kind of. Modern operating systems have a protection that separates kernel code vs. userland code. This means that even if we could map something to 0 directly in userland (with the situation above), the SMEP protection would crash if the kernel jumped to this point.
- Apparently, the author disabled SMEP and installed the NTVDM subsystem in order to verify that this exploit worked. Although this requires a very convoluted scenario, it is still possible to pull of!
