Exploitation of Kernel Pool Overflow on Microsoft Windows 10 DKOM/DKOHM is Back in DKOOHM! Direct Kernel Optional Object Header Manipulation

Black Hat USA 2017

Presented by: Nikita Tarakanov
Date: Thursday July 27, 2017
Time: 12:10 - 13:00
Location: Jasmine Ballroom

With each new version of Windows OS, Microsoft enhances its security by adding mitigation mechanisms. Kernel-land vulnerabilities are getting more and more valuable these days. For example, the easiest way to escape from a sandbox (i.e. Google Chrome Sandbox) is by using a kernel vulnerability. That's why Microsoft struggles to enhance the security of the Windows Kernel.

Kernel Pool allocator plays significant role in security of whole kernel. Since Windows 7, Microsoft started to enhance the security of the Windows kernel pool allocator. Tarjei Mandt (@kernelpool) has done a great job in analysing the internals of the Windows Kernel pool allocator and has found some great attack techniques, mitigations and whatnot.

However, in Windows 8, Microsoft has eliminated almost all reliable techniques of exploiting kernel pool corruptions. Unfortunately, Tarjei's attack technique requires a lot of pre-requisites to be successful. Nonetheless, there are a lot of types of pool corruptions where his techniques will not work anymore.

Subsequently in Windows 8.1, Microsoft has eliminated a technique I have discovered and presented at HITB 2013, which is also known as 0xBAD0B0B0. Since then there is no easy way that exists -- publicly -- currently to exploit Pool Overflows on this version of Windows. However, I have discovered yet another technique that leverage a combination of tricks to convert Pool Overflows.

Recovering back from my continuous attacks against the Windows Kernel. Windows 10 comes out with a lot of new protections and security mitigations that makes it much harder to exploit those Kernel-land vulnerabilities. In an ever-lasting cat and mouth game, I come back with a brand new novel exploitation technique that works seamlessly on Windows 7, Windows 8, Windows 8.1 and Windows 10 as well. Check mate, Microsoft? Sorry, not this time!

Nikita Tarakanov

Nikita Tarakanov is an independent information security researcher. He has worked as an IS researcher in Intel, Positive Technologies, Vupen Security, CISS. Nikita likes writing exploits, especially for Windows NT Kernel. He won the PHDays Hack2Own contest in 2011 and 2012, and he tried to hack Google Chrome during Pwnium 2 but failed. Nikita published a few papers about kernel mode drivers and their exploitation. He is currently engaged in reverse engineering research and vulnerability search automation.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats