Windows Hooks of Death: Kernel Attacks Through User-Mode Callbacks presented at BlackhatUSA 2011

by Tarjei Mandt,


Summary : 15 years ago, Windows NT 4.0 introduced Win32k.sys to address the inherent limitations of the older client-server graphics subsystem model. Today, win32k still remains a fundamental component of the Windows architecture and manages both the Window Manager (USER) and Graphical Device Interface (GDI).
In order to properly interface with user-mode data, win32k makes use of user-mode callbacks, a mechanism allowing the kernel to make calls back into user-mode.
User-mode callbacks enable a variety of tasks such as invoking application-defined hooks, providing event notifications, and copying data to/from user-mode. In this talk, we discuss the many challenges and problems concerning user-mode callbacks in win32k. We will show how win32k's questionable design potentially may have introduced hundreds of subtle vulnerabilities, which so far have resulted in numerous patch bulletins. Recently, MS11-034 addressed a record number (30) of privilege escalation vulnerabilities in an effort to remove multiple bug classes related to user-mode callbacks. However, in spite of the attempts made to address these vulnerabilities, the underlying problem still persists.