Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

This bug is a combination of a few issues within the Windows Desktop Manager (DWM). Neither of these issues is a vulnerability by itself. But, by causing a desync in the understanding of a structure, it becomes a vulnerability.

The DirectComposition API is used for Windows bitmap composition with transformations, effects and animations. This component is known to be buggy and has many reported CVEs already. To send batch commands, a special LPC format is used.

When adding a property with this API, there is an issue with input validation. This adds a new property to the resource but only validates the propertyId and storageOffset after it has already been added! Anytime validation is done after an action occurs, that's a sign of something bad to come.

The same code path for the Update functionality does zero validation on this though. Because of the complete lack of validation the attacker can use this as an out of bounds write on the propertiesData buffer if a few checks succeed on the data. However, this version only existed in userland and not the kernel (unlike the first bug).

By using the first bug to increase the number of properties, an error to occur without fixing the counter; this resulted in a desync for the amount of properties and the count for the amount of properties. Because the length had been changed, the update could now be used for an OOB write.

Finding validation after some action has already occurred is a wonderful source for bugs that cause desyncs. Awesome bug and a straight forward write up.