Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

When sending I/O control requests on sockets, the request codes are verified in order to validate that internal functions cannot be checked. However, the TdxIssueIoControlRequest function accepts codes but does not do the validation. This is labeled as the first vulnerability.

With the ability to call an internal functions unexpectedly, many other bugs fell out of this. From this research, 4 exploitation paths surfaced. An arbitrary increment, arbitrary read/write via getting access to a pointer, TOCTOU on a buffer and an INFOleak.

The other two bugs are TOCTOU bugs. Windows IOCTLs have three different modes: buffered (copy user buffer to kernel), direct I/O (buffer mapped to kernel address) and neither (where the kernel will operate directly on a shared user mapping).

The two other TOCTOU bugs were mapped in the neither category. Because a user can easily write to this type of memory, validation is hard to do. It leads to many TOCTOU bugs.

To me, there are 3 bugs: the 2 TOCTOU bugs and the code validation bypass. By simply fixing the validation bypass, you also make those bugs completely unexploitable. But, I suppose the more CVEs the better!

The article has a bunch of background on the Windows OS. It was to good to see. Overall, good article with unique and hard-to-find bugs.