Sign in to confirm you’re not a bot

This helps protect our community. Learn more

Why so Spurious? Achieving Local Privilege Escalation on Operating Systems

240K subscribers

1K views 5 years ago

There exists a "feature" in the x86 architecture that, due to improper programming by many operating system vendors, can be exploited to achieve local privilege escalation. At the time of discovery, this issue was present on the latest-and-greatest versions of Microsoft Windows, Apple's macOS, and certain distributions of Linux. This issue, very likely, impacts other operating systems on the x86 architecture. By Nemanja Mulasmajic + Nicolas Peterson Full abstract and materials: https://www.blackhat.com/us-18/briefi...

...more

...more

INTERRUPTS AND THE IDT

THE STACK WHEN AN INTERRUPT OCCURS

THE INT 1 HANDLER KIDEBUGTRAPORFAULT

MOV/POP SS

Discovered it while building VM detection mechanisms What if a VMEXIT occurs during a blocking period?

SO, WHAT HAPPENS? 2 The INT 3 executes in the context of

Opcode Instruction

QUICK RECAP

INITIAL WEAPONIZING

MORE CHALLENGE... • CPU does the driver loading

THE SYSCALL HANDLER KISYSTEMCALL64

SYSCALL FUNCTIONS SIMILAR TO INT 3 2

MICROSOFT'S FIX

LESSONS LEARNED

Why so Spurious? Achieving Local Privilege Escalation on Operating Systems

25Likes

1,058Views

2020Jan 14

There exists a "feature" in the x86 architecture that, due to improper programming by many operating system vendors, can be exploited to achieve local privilege escalation. At the time of discovery, this issue was present on the latest-and-greatest versions of Microsoft Windows, Apple's macOS, and certain distributions of Linux. This issue, very likely, impacts other operating systems on the x86 architecture. By Nemanja Mulasmajic + Nicolas Peterson Full abstract and materials: https://www.blackhat.com/us-18/briefi...

Transcript

Follow along using the transcript.

Black Hat

240K subscribers