Exploiting Hardcore Pool Corruptions in Microsoft Windows Kernel

A session at CONFidence 2013

Tuesday 28th May, 2013

2:50pm to 3:40pm (WMT)

Each new version of Windows OS Microsoft enhances security by adding security mitigation mechanisms.

Kernel land vulnerabilities are getting more and more valuable these days. For example, the easy way to escape from a sandbox (Google Chrome sandbox for example) is by using kernel vulnerability.

That’s why Microsoft struggles to enhance security of Windows kernel. Kernel Pool allocator plays significant role in security of whole kernel. Since Windows 7 Microsoft started to enhance security of kernel pool allocator.

Kernelpool aka Tarjei Mandt has done great job on analyzing internals of kernel pool allocator, which includes great attack techniques, mitigations bypasses etc. In windows 8 Microsoft has eliminated almost all reliable techniques of exploiting kernel pool corruptions. However, attack techniques by Tarjei need a lot of prerequisites to get success. There are a lot of types of pool corruptions where these techniques don’t work, unfortunately.

What if there is no control over overflown data?
What if there is constant(zero bytes) and you have no chance to apply one of Tarjei’s techniques?
What if there is uncontrolled continuous overflow and #PF and BSOD is unavoidable?

So what to do?
Commit suicide instantly?


Come and see this talk!

This talk presents technique of 100% reliable exploitation of kernel pool corruptions.
This unique technique works since NT 4.0 to Windows 8 including.

About the speaker

This person is speaking at this event.
Nikita Tarakanov

Vulnerability Assassin.Crazy Wild Russian.Aligner of stars.Отморозок на nightmare. Вы всё ещё верите написанному кириллицей? bio from Twitter

Sign in to add slides, notes or videos to this session

CONFidence 2013

Poland Poland, Krakow

28th29th May 2013

Tell your friends!


Time 2:50pm3:40pm WMT

Date Tue 28th May 2013

Short URL


Official session page


View the schedule


See something wrong?

Report an issue with this session