Tuesday, November 13, 2018

Recent kernel memory disclosure bugs in CANVAS

In July 2017, a blogpost from Anders Fogh introduced the idea of leaking kernel memory from the unprivileged userland. This was later followed by the public introduction of both Spectre and Meltdown and their corresponding coverage in the media. For Immunity this was the perfect opportunity to not only write two Spectre exploits for CANVAS (the Windows version being CEU only) but also a framework dedicated to this vulnerability class. In particular we also wrote CANVAS exploits for CVE-2017-18344 and CVE-2018-14656 . Some of our exploitation notes have been published on the Immunity website:

Part 1: https://www.immunityinc.com/downloads/Kernel-Memory-Disclosure-and-Canvas_Part_1.pdf
Part 2: https://www.immunityinc.com/downloads/Kernel-Memory-Disclosure-and-Canvas_Part_2.pdf