Abusing GDI for Ring0 Exploit Primitives: Evolution

Windows 10 kernel exploitation techniques based on the latest Windows 10 RS3 insider preview


Evolution in Windows exploitation techniques led to enormous efforts by vendors to protect their software with exploit mitigations including among other things, sandbox implementations in Chrome, Edge, Firefox, and the latest versions of Microsoft Office. At the same time, Microsoft increased efforts to protect the Windows kernel, especially in Windows 10, implementing a considerable amount of new exploit mitigations with each update (particularly in Anniversary and Creators Update.)
As part of the infamous incident involving Hacking Team in 2015, kernel exploits were leaked which used techniques to abuse GDI objects. These techniques were described and presented in 2015 at the Ekoparty security conference in the first talk of the series, “Abusing GDI for ring0 exploit primitives”. In the Windows 10 “Anniversary Update” (v1607), this technique was partly mitigated. A year later, at Ekoparty 2016, the second version of this talk was presented under the name “Abusing GDI for ring0 exploit primitives: Reloaded”, in which a new technique was introduced, to continue abusing GDI objects. Microsoft once again mitigated part of this technique in the new Windows 10 “Creators Update” (v1703) that was rolled out in April 2017.
Despite Microsoft's effort to mitigate this vector, the latest techniques based on GDI objects still remain as effective as the original ones in previous versions of Windows. In this third presentation, we will explain how to use one of these techniques for reliable kernel exploitation on Windows 10 (v1703). Based on the most current Insiders Preview (RS3-RedStone3), we will take a look at Microsoft's mitigation plan for its future update (Fall Creators Update) and demonstrate a way to bypass it. Finally a full sandbox escape in Microsoft Edge on Windows 10 is demonstrated based on the described techniques.


Links to the slides presented at Ekoparty 2017 can be found below: