(no title)
danarmak | 4 years ago
> But even better, it has a security descriptor allowing Everyone + Low IL R/W Access, and an IOCTL interface with absolutely no Probes/SEH, which yes, dereferences wild pointers. They don't even bother checking for input size or output sizes.
If that's true of the driver, then it's a sec vuln regardless of what the MSR bit does or doesn't do, no?
Perolan|4 years ago
Absolutely a security vulnerability, and while I havent reproduced on my own and am just going off what I read on the original Twitter thread (so it's possible I could be regurgitating bad info), my understanding is that it gives processes this access by listening to process creation and hashing the name. Meaning if I have a known hash from the list I can simply rename my program / malware and bam.