Researchers demonstrate method to bypass kernel security measures in all Windows versions

During the BSides security conference that was held earlier this month, researchers from digital security company EnSilo demonstrated a general technique to leverage with kernel vulnerabilities and make privilege escalation easier. Their method works on all Windows versions and likely also on Linux and macOS.

Researchers demonstrate method to bypass kernel security measures in all Windows versions

Microsoft has added a number security measures that are designed to protect the kernel against attackers. However, researchers Omri Misgav and Udi Yavo have found a new method that allows an attacker who already has access to the system to bypass kernel limitations and to achieve higher privileges, including SYSTEM rights.

To bypass the security measures and to elevate privileges, the researchers manipulated so-called “page tables”. These are data structures used by operating systems to map virtual memory to physical memory. By manipulating page tables in a specific way, it’s possible to manipulate shared code pages that affect all system processes.

“The key to the success of the technique is the fact that the same code for both low and high privilege processes is stored in the same place in RAM in an effort to more efficiently consume physical memory,” according to security researcher Omri Misgav in a blog.

By manipulating this shared memory, the researchers were able to execute a malicious payload by a process with escalated privileges. The main difference between this new method and previous techniques is that it also works when Virtualization Based Security (VBS) from Windows is enabled.

Microsoft has been informed about the technique(PDF) prior to the public disclosure of the method.

Because also other operating systems use shared memory, the researchers also expect it works on Linux and macOS.