Windows Kernel stack memory disclosure in DeviceApi(CVE-2017-8474)

We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 10 through the PiDqIrpQueryGetResult, PiDqIrpQueryCreate, PiDqQueryCompletePendedIrp IOCTLs sent to the \Device\DeviceApi device. The analysis shown below was...

Microsoft Windows - DeviceApi CMApi PiCMOpenDeviceKey Arbitrary Registry Key Write Privilege Escalation (MS16-124)

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=872 Windows: DeviceApi CMApi PiCMOpenClassKey Arbitrary Registry Key Write EoP Platform: Windows 10 10586 not tested 8.1 Update 2 or Windows 7 Class: Elevation of Privilege Summary: The DeviceApi CMApi PiCMOpenClassKey IOCTL allo...

Microsoft Windows - DeviceApi CMApi User Hive Impersonation Privilege Escalation (MS16-124)

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=875 Windows: DeviceApi CMApi User Hive Impersonation EoP Platform: Windows 10 10586 not tested 8.1 Update 2 or Windows 7 Class: Elevation of Privilege Summary: The DeviceApi CMApi PnpCtxRegOpenCurrentUserKey function doesn’t chec...

Microsoft Windows - DeviceApi CMApi User Hive Impersonation Privilege Escalation (MS16-124)

Microsoft Windows - DeviceApi CMApi User Hive Impersonation Privilege Escalation MS16-124 / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=875 Windows: DeviceApi CMApi User Hive Impersonation EoP Platform: Windows 10 10586 not tested 8.1 Update 2 or Windows 7 Class: Elevation o...