Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The Direct Composition Windows API enables graphical effects such as image conversion and animations. In Windows 10 a group of system calls were batched into one action. Since this, several vulnerabilities have been found in this component.

Some of the code in the direct composition API has a circular dependency of pointers; one object references another and vice versa. When one of the objects is freed, it is important to remove the reference so that a dangling pointer does not exist. In the base case, this is done properly.

There is an assumed 1 to 1 relationship between these shared objects though. So, if the object is referenced by two different TrackerBinding objects, the original objects pointer is forgotten about. When the other object is freed, it creates a dangling pointer on a TrackerList object. This was CVE-2020-1381.

The patch for this vulnerability involved validating that TrackerList was not being referenced by another TrackerBinding. However, there is a small edge case that can bypass this fix. Natalie at P0 says that 25% of zero days do not receive a proper patch, which makes the case for looking for bypasses in recent patches to find vulns.

By updating the entry_id to 0 Windows sees the entry as unnecessary. This calls a function that will remove the binding but not the entry for ONE of the sides! So, when the check attempts to validate if the TrackerList is currently in use by another TrackerBinding it will fail. Thus, we can trigger the vulnerability in the same way as before.