Heap based overflow in the Windows Kernel (ntfs.sys). This was originally found in the wild by Kaspersky, though Alex Plaskett here digs much more into the vulnerability and exploitation, and takes it in bit of a new direction removing the need for a separate info-leak.
The vulnerability itself is in
NtfsQueryEaUserEaList which iterates over a files Extended Attributes and stores their names and values to a user-provided output buffer. It would align the attribute to 32bits, the problem is in the check to ensure the extended attribute would fit in the remaining buffer:
if ( ea_block_size <= out_buf_length - padding )
The problem here is that the
out_buf_length - padding can underflow so the
mememove following it would copy more data than is remaining in the buffer.
On the exploitation front this was taken in a few stages, from the overflow, they targeted some structures from the Windows Notification Facility which they had reasonable control over allocations for when it comes to heap grooming. First was the
WNF_STATE_DATA object which has two fields of importance:
AllocateadSize which can be overflowed, and corrupted leading to a relative read and write respectively as the object will think it has more space than it actually does for both.
With relative r/w a bit more heap grooming was use4d to target
_WNF_NAME_INSTANCE andi its
StateData field for arbitrary write. From this point there are a number of known techniques that can be used.