From Logic to Memory - Winning the Solitaire in Reparse Points

Explore a 37-minute Black Hat conference talk that delves into reparse points and file redirection vulnerabilities in Windows system services. Learn about the discovery of a 0-day logic vulnerability that bypasses current mitigations, leading to a win in the Windows EoP category at Pwn2Own 2021. Gain insights into undisclosed exploit techniques, the challenges of exploitation, and the unique vulnerability discovery strategy. Examine the root cause of vulnerable code, file operations timeline, and race conditions. Understand the memory corruption vulnerability model, including out-of-bounds read crashes and race conditions. Discover the MSRC response, timeline, and the impact of this new attack surface on future bug hunting. Presented by Bo Qu and Tao Yan, this talk offers valuable knowledge for security researchers and professionals interested in Windows system vulnerabilities and exploitation techniques.

black hat EUROPE 2021
Reparse Points
File Redirection Attacks
File Redirection Mitigations #3
Make the exploitation harder
The unique vulnerability discovery strategy
Reset Solitaire
Root cause: vulnerable code
Challenges
Re-visit the vulnerability
File Operations Timeline
Race Window #0
Success rate expectation
Stability, stability, stability!
Reparse Data Structure
Reparse Point Tag
The memory corruption vulnerability model
Find the target - dynamic
Memory corruption vulnerability examples
Desktop bridge activation
Create the client
Read reparse point in Appinfo service
Set reparse point for OOB read
Out of bounds read crash
Race condition
MSRC response and timeline
The new attack surface impact
Future bug hunting insights
Summary