Microsoft Windows - 'nt!NtQueryInformationTransactionManager (TransactionManagerRecoveryInformation)' Kernel Pool Memory Disclosure

/ We have discovered that the nt!NtQueryInformationTransactionManager system call invoked with the TransactionManagerRecoveryInformation 4 information class may disclose uninitialized kernel pool memory to user-mode clients. The vulnerability affects Windows 7 to 10, 32/64-bit. The output structu...

Windows Kernel 64-bit pool memory disclosure in NtQueryVirtualMemory(MemoryMappedFilenameInformation)(CVE-2018-0894)

We have discovered that the nt!NtQueryVirtualMemory system call invoked with the 2 information class MemoryMappedFilenameInformation discloses portions of uninitialized kernel pool memory to user-mode clients. The vulnerability affects 64-bit versions of Windows 7 to 10. The output buffer for thi...

Microsoft Windows Kernel - NtQueryVirtualMemory(MemoryMappedFilenameInformation) 64-bit Pool Memory Disclosure

Microsoft Windows Kernel - NtQueryVirtualMemoryMemoryMappedFilenameInformation 64-bit Pool Memory Disclosure / We have discovered that the nt!NtQueryVirtualMemory system call invoked with the 2 information class MemoryMappedFilenameInformation discloses portions of uninitialized kernel pool memor...

Microsoft Windows Kernel - NtQueryVirtualMemory(MemoryMappedFilenameInformation) 64-bit Pool Memory

Exploit for windows platform in category dos / poc / We have discovered that the nt!NtQueryVirtualMemory system call invoked with the 2 information class MemoryMappedFilenameInformation discloses portions of uninitialized kernel pool memory to user-mode clients. The vulnerability affects 64-bit...

Microsoft Windows Kernel - 'NtQueryVirtualMemory(MemoryMappedFilenameInformation)' 64-bit Pool Memory Disclosure

/ We have discovered that the nt!NtQueryVirtualMemory system call invoked with the 2 information class MemoryMappedFilenameInformation discloses portions of uninitialized kernel pool memory to user-mode clients. The vulnerability affects 64-bit versions of Windows 7 to 10. The output buffer for...

Microsoft Windows - 'nt!NtQuerySystemInformation (information class 138, QueryMemoryTopologyInformation)' Kernel Pool Memory Disclosure

/ We have discovered that the nt!NtQuerySystemInformation system call invoked with the 138 information class discloses portions of uninitialized kernel pool memory to user-mode clients. The specific information class is handled by an internal nt!ExpQueryMemoryTopologyInformation function. While w...

Microsoft Windows - nt!NtQuerySystemInformation (information class 138_ QueryMemoryTopologyInformation) Kernel Pool Memory Disclosure

Microsoft Windows - nt!NtQuerySystemInformation information class 138 QueryMemoryTopologyInformation Kernel Pool Memory Disclosure / We have discovered that the nt!NtQuerySystemInformation system call invoked with the 138 information class discloses portions of uninitialized kernel pool memory to...

Microsoft Windows 10 - 'nt!NtQueryDirectoryFile (luafv!LuafvCopyDirectoryEntry)' Pool Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1361 We have discovered that the nt!NtQueryDirectoryFile system call discloses portions of uninitialized pool memory to user-mode clients on Windows 10, due to uninitialized fields in the output structure being copied to the...

Microsoft Windows 10 - nt!NtQueryDirectoryFile (luafv!LuafvCopyDirectoryEntry) Pool Memory Disclosure

Microsoft Windows 10 - nt!NtQueryDirectoryFile luafv!LuafvCopyDirectoryEntry Pool Memory Disclosure / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1361 We have discovered that the nt!NtQueryDirectoryFile system call discloses portions of uninitialized pool memory to user-mode...

Microsoft Windows Kernel Local Information Disclosure Vulnerability(CVE-2017-11785)

We have discovered that the nt!NtQueryObject syscall handler discloses portions of uninitialized pool memory to user-mode clients when the following conditions are met: 1. It is invoked with the ObjectNameInformation information class and a file object associated with a file on local disk other...

Microsoft Windows Kernel - win32k!NtGdiGetGlyphOutline Pool Memory Disclosure

Microsoft Windows Kernel - win32k!NtGdiGetGlyphOutline Pool Memory Disclosure / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1267&desc=2 We have discovered that the win32k!NtGdiGetGlyphOutline system call handler may disclose large portions of uninitialized pool memory to...

Microsoft Windows Kernel Local Information Disclosure Vulnerability(CVE-2017-8564)

We have discovered that the handler of the 0x120007 IOCTL in nsiproxy.sys \.\Nsi device discloses portions of uninitialized pool memory to user-mode clients, likely due to output structure alignment holes. On our test Windows 7 32-bit workstation, an example layout of the output buffer is as...

Microsoft Windows Kernel - IOCTL 0x120007 (NsiGetParameter) nsiproxy/netio Pool Memory Disclosure

Exploit for windows platform in category dos / poc / We have discovered that the handler of the 0x120007 IOCTL in nsiproxy.sys \.\Nsi device discloses portions of uninitialized pool memory to user-mode clients, likely due to output structure alignment holes. On our test Windows 7 32-bit...

Microsoft Windows Kernel - IOCTL 0x120007 NsiGetParameter nsiproxynetio Pool Memory Disclosure

Microsoft Windows Kernel - IOCTL 0x120007 NsiGetParameter nsiproxynetio Pool Memory Disclosure / We have discovered that the handler of the 0x120007 IOCTL in nsiproxy.sys \.\Nsi device discloses portions of uninitialized pool memory to user-mode clients, likely due to output structure alignment...

Windows Kernel pool memory disclosure in nt!NtNotifyChangeDirectoryFile(CVE-2017-0299)

We have discovered that the nt!NtNotifyChangeDirectoryFile system call discloses portions of uninitialized pool memory to user-mode clients, due to output structure alignment holes. On our test Windows 10 32-bit workstation, an example layout of the output buffer is as follows: --- cut ---...

Microsoft Windows Kernel - ATMFD.DLL Out-of-Bounds Read due to Malformed Name INDEX in the CFF Table

Microsoft Windows Kernel - ATMFD.DLL Out-of-Bounds Read due to Malformed Name INDEX in the CFF Table Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1213 We have encountered a Windows kernel crash in the ATMFD.DLL OpenType driver while processing a corrupted OTF font file, see...

Microsoft Windows - IOCTL_DISK_GET_DRIVE_GEOMETRY_EX Kernel partmgr Pool Memory Disclosure

Microsoft Windows - IOCTLDISKGETDRIVEGEOMETRYEX Kernel partmgr Pool Memory Disclosure / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1156&desc=2 We have discovered that the handler of the IOCTLDISKGETDRIVEGEOMETRYEX IOCTL in partmgr.sys discloses portions of uninitialized poo...

Microsoft Windows - win32k!NtGdiEnumFonts Kernel Pool Memory Disclosure

Microsoft Windows - win32k!NtGdiEnumFonts Kernel Pool Memory Disclosure Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1153 We have discovered that the win32k!NtGdiEnumFonts system call handler discloses very large portions of uninitialized pool memory to user-mode clients. The...

Microsoft Windows - IOCTL_DISK_GET_DRIVE_LAYOUT_EX Kernel partmgr Pool Memory Disclosure Exploit

Exploit for windows platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1159 We have discovered that the handler of the IOCTLDISKGETDRIVELAYOUTEX IOCTL in partmgr.sys discloses portions of uninitialized pool memory to user-mode clients. The issue can...

Microsoft Windows - 'IOCTL_DISK_GET_DRIVE_LAYOUT_EX' Kernel partmgr Pool Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1159 We have discovered that the handler of the IOCTLDISKGETDRIVELAYOUTEX IOCTL in partmgr.sys discloses portions of uninitialized pool memory to user-mode clients. The issue can be reproduced by running the attached...