Once again, the use of user-mode callbacks in the Windows kernel enabled an attacker to change out the type of an object unexpectedly leading to a type confusion.

The post indicates that several families of kernel calls (xxxMenuWindowProc, xxxSBWndProc, xxxSwitchWndProc, xxxTooltipWndProc) could be used to trigger the xxxClientAllocWindowClassExtraBytes callbacks. The callback could then use NtUserConsoleControl method to set theConsoleWindow flag of the tagWND object. Once the callback returned, the tagWND object will be accessed, but it will be unaware of the type change that occurred, leading to a type confusion where a user_mode pointer is treated as the offset to the desktop heap, which can be used for more out-of-bound accesses.