An object type confusion was discovered in the Microsoft Kernel Streaming Server (mskssrv.sys), which is used for virtualizing camera devices and allowing multiple applications to access camera streams. The driver uses two main object types for allowing userspace to acquire a context and send/receive data, a context and a stream. A context stores per-device file metadata that’s used for keeping track of memory allocations amongst other things, while stream objects are used for accessing camera stream data. The vulnerability here was that the FSRendezvousServer::PublishRx IOCTL would call FSRendezvousServer::FindObject() with a user-provided identifier to find the accompanying stream object, however FindObject() would search both the context list and the stream list, which made it possible for it to return a context in place of a stream.

Exploitation Due to context being a smaller object than stream, this vuln could be leveraged to get out-of-bounds write on an adjacent context. Particularly, PublishRx would call FsFrameMdl::UnmapPages, which would write the constant “2” to a field in the FrameMdl, the pointer for which came from the context they could corrupt, giving them a constant write-where primitive.

They used this in conjunction with a technique that abuses Windows’ I/O Ring functionality pioneered by Yarden Shafir. I/O Ring kept a pointer to RegBuffers (presumably “register buffers”) as well as a RegBuffersCount which consisted of an array of kernel pointers that would be used for reads/writes on the ioring. By setting RegBuffersCount to non-zero (0x2) and setting RegBuffers to a user-mappable address (such as 0x2000000) via exploiting the bug twice, they could establish an arbitrary read/write.