Kernel Pool Exploitation on Windows 7
暂无分享,去创建一个
In Windows 7, Microsoft introduced safe unlinking to address the growing number of security bulletins affecting the Windows kernel. Prior to removing an entry from a doubly-linked list, safe unlinking aims to detect memory corruption by validating the pointers to adjacent list entries. Hence, an attacker cannot easily leverage generic techniques in exploiting pool overflows or other pool corruption vulnerabilities. In this paper, we show that in spite of the security measures introduced, Windows 7 is still susceptible to generic kernel pool attacks. In particular, we show that the pool allocator may under certain conditions fail to safely unlink free list entries, thus allowing an attacker to corrupt arbitrary memory. In order to thwart the presented attacks, we propose ways to further harden and enhance the security of the kernel pool.
[1] Hovav Shacham,et al. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.