Windows Kernel - Out-of-Bounds Read in nt!MiParseImageLoadConfig While Parsing Malformed PE File

Windows Kernel - Out-of-Bounds Read in nt!MiParseImageLoadConfig While Parsing Malformed PE File We have encountered a Windows kernel crash in memcpy called by nt!MiParseImageLoadConfig while trying to load a malformed PE image into the process address space as a data file i.e...

Windows Kernel - win32k.sys TTF Font Processing Pool Corruption in win32k!ulClearTypeFilter

Windows Kernel - win32k.sys TTF Font Processing Pool Corruption in win32k!ulClearTypeFilter We have encountered a Windows kernel crash in the win32k.sys driver while processing a corrupted TTF font file. An example crash log excerpt generated after triggering the bug is shown below: --- cut ---...

Windows Kernel - NULL Pointer Dereference in nt!MiOffsetToProtos While Parsing Malformed PE File

Windows Kernel - NULL Pointer Dereference in nt!MiOffsetToProtos While Parsing Malformed PE File We have encountered a Windows kernel crash in nt!MiOffsetToProtos while trying to load a malformed PE image into the process address space as a data file i.e. LoadLibraryExLOADLIBRARYASDATAFILE |...

Microsoft Windows Kernel - NULL Pointer Dereference in nt!MiOffsetToProtos While Parsing Malformed PE File

We have encountered a Windows kernel crash in nt!MiOffsetToProtos while trying to load a malformed PE image into the process address space as a data file i.e. LoadLibraryExLOADLIBRARYASDATAFILE | LOADLIBRARYASIMAGERESOURCE. An example crash log generated after triggering the bug is shown below: -...

Microsoft Windows Kernel - Out-of-Bounds Read in nt!MiParseImageLoadConfig While Parsing Malformed PE File

We have encountered a Windows kernel crash in memcpy called by nt!MiParseImageLoadConfig while trying to load a malformed PE image into the process address space as a data file i.e. LoadLibraryExLOADLIBRARYASDATAFILE | LOADLIBRARYASIMAGERESOURCE. An example crash log generated after triggering th...

Microsoft Windows Kernel - Out-of-Bounds Read in CI!HashKComputeFirstPageHash While Parsing Malformed PE File

We have encountered a Windows kernel crash in CI!HashKComputeFirstPageHash while trying to load a malformed PE image into the process address space as a data file i.e. LoadLibraryExLOADLIBRARYASDATAFILE | LOADLIBRARYASIMAGERESOURCE. An example crash log generated after triggering the bug is shown...

Microsoft Windows - Double Dereference in NtEnumerateKey Elevation of Privilege

Microsoft Windows - Double Dereference in NtEnumerateKey Elevation of Privilege Windows: Double Dereference in NtEnumerateKey Elevation of Privilege Platform: Windows 10 1803 not vulnerable in earlier versions Class: Elevation of Privilege Summary: A number of registry system calls do not correct...

Microsoft Windows - Double Dereference in NtEnumerateKey Elevation of Privilege Exploit

Exploit for windows platform in category dos / poc Windows: Double Dereference in NtEnumerateKey Elevation of Privilege Platform: Windows 10 1803 not vulnerable in earlier versions Class: Elevation of Privilege Summary: A number of registry system calls do not correctly handle pre-defined keys...

Microsoft Windows - Double Dereference in NtEnumerateKey Elevation of Privilege

Windows: Double Dereference in NtEnumerateKey Elevation of Privilege Platform: Windows 10 1803 not vulnerable in earlier versions Class: Elevation of Privilege Summary: A number of registry system calls do not correctly handle pre-defined keys resulting in a double dereference which can lead to...

Microsoft Windows10 AHCACHE.SYS Remote Denial Of Service(CVE-2016-3369)

Summary A denial of service vulnerability exists in the AHCACHE.SYS driver. A specially crafted Portable Executable file can cause a bugcheck in the Windows kernel resulting in remote denial of service. Tested Versions Windows 10, AHCACHE.SYS version 10.0.10586.0 Tested on Windows 10 X86 Product...

Windows Kernel ATMFD.DLL out-of-bounds read due to malformed Name INDEX in the CFF table(CVE-2017-8483)

We have encountered a Windows kernel crash in the ATMFD.DLL OpenType driver while processing a corrupted OTF font file, see below: --- DRIVERPAGEFAULTBEYONDENDOFALLOCATION d6 N bytes of memory was allocated and more than N bytes are being referenced. This cannot be protected by try-except. When...

Microsoft Windows Kernel - ATMFD.DLL Out-of-Bounds Read due to Malformed Name INDEX in the CFF Table

Microsoft Windows Kernel - ATMFD.DLL Out-of-Bounds Read due to Malformed Name INDEX in the CFF Table Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1213 We have encountered a Windows kernel crash in the ATMFD.DLL OpenType driver while processing a corrupted OTF font file, see...

May 9, 2017—KB4019213 (Security-only update)

May 9, 2017—KB4019213 Security-only update Improvements and fixes This security update includes quality improvements. No new operating system features are being introduced in this update. Key changes include: Updated Windows Cryptography API to deprecate SHA-1 for SSL/TLS Server Authentication,...

April 11, 2017—KB4015547 (Security-only update)

April 11, 2017—KB4015547 Security-only update Improvements and fixes This security update resolves security vulnerabilities in Hyper-V, libjpeg image-process library, Win32K, Adobe Type Manager font driver, Active Directory Federation Services, Lightweight Directory Access Protocol, Windows...

Microsoft Windows Kernel - Registry Hive Loading Crashes in nt!nt!HvpGetBinMemAlloc nt!ExpFindAndRemoveTagBigPages (MS17-017)

Microsoft Windows Kernel - Registry Hive Loading Crashes in nt!nt!HvpGetBinMemAlloc nt!ExpFindAndRemoveTagBigPages MS17-017 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=993 We have encountered Windows kernel crashes in the internal nt!nt!HvpGetBinMemAlloc and...

HEVD kernel vulnerability training of SMEP bypass-vulnerability warning-the black bar safety net

This articles content comparison basis, but also more fun, of course, has been to see the yuan brother mentioned DVE bypass mitigation, on the DVE feel very magical, but I still do not quite understand, very want to learn. Two days before the in security client sent an article HEVD kernel...

Microsoft Windows Kernel - Registry Hive Loading 'nt!RtlEqualSid' Out-of-Bounds Read (MS

Exploit for windows platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=874 We have encountered a Windows kernel crash in the nt!RtlEqualSid function invoked through nt!SeAccessCheck by nt!CmpCheckSecurityCellAccess while loading corrupted registry hiv...

Microsoft Windows Kernel - Registry Hive Loading nt!RtlEqualSid Out-of-Bounds Read (MS16-138)

Microsoft Windows Kernel - Registry Hive Loading nt!RtlEqualSid Out-of-Bounds Read MS16-138 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=874 We have encountered a Windows kernel crash in the nt!RtlEqualSid function invoked through nt!SeAccessCheck by...

Microsoft Windows - win32k.sys TTF Processing win32k!sbit_Embolden win32k!ttfdCloseFontContext Use-After-Free (MS16-120)

Microsoft Windows - win32k.sys TTF Processing win32k!sbitEmbolden win32k!ttfdCloseFontContext Use-After-Free MS16-120 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=868 We have encountered Windows kernel crashes in the win32k!sbitEmbolden and win32k!ttfdCloseFontContext functio...

Microsoft Windows - 'win32k.sys' TTF Processing win32k!sbit_Embolden / win32k!ttfdCloseFontContext Use-After-Free (MS16-120)

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=868 We have encountered Windows kernel crashes in the win32k!sbitEmbolden and win32k!ttfdCloseFontContext functions while processing corrupted TTF font files. Excerpts of them are shown below: --- KERNELMODEEXCEPTIONNOTHANDLED 8e...