POC2021 – Pwning the Windows 10 Kernel with NTFS and WNF Slides

We discussed this vulnerability during Episode 102 on 23 November 2021

Heap based overflow in the Windows Kernel (ntfs.sys). This was originally found in the wild by Kaspersky, though Alex Plaskett here digs much more into the vulnerability and exploitation, and takes it in bit of a new direction removing the need for a separate info-leak.

The vulnerability itself is in NtfsQueryEaUserEaList which iterates over a files Extended Attributes and stores their names and values to a user-provided output buffer. It would align the attribute to 32bits, the problem is in the check to ensure the extended attribute would fit in the remaining buffer:

if ( ea_block_size <= out_buf_length - padding )

The problem here is that the out_buf_length - padding can underflow so the mememove following it would copy more data than is remaining in the buffer.

Exploit Strategy

On the exploitation front this was taken in a few stages, from the overflow, they targeted some structures from the Windows Notification Facility which they had reasonable control over allocations for when it comes to heap grooming. First was the WNF_STATE_DATA object which has two fields of importance: DataSize and AllocateadSize which can be overflowed, and corrupted leading to a relative read and write respectively as the object will think it has more space than it actually does for both.

With relative r/w a bit more heap grooming was use4d to target _WNF_NAME_INSTANCE andi its StateData field for arbitrary write. From this point there are a number of known techniques that can be used.