Windows Kernel Logic Bug Class: Access Mode Mismatch in IO Manager

Posted by James Forshaw, Project Zero
This blog post is an in-depth look at an interesting logic bug class in the Windows Kernel and what I did to try to get it fixed with our partners at Microsoft. The maximum impact of the bug class is local privilege escalation if kernel and driver developers don’t take into account how the IO manager operates when accessing device objects. This blog discusses how I discovered the bug class and the technical background. For more information about the further investigation, fixing and avoiding writing new code with the bug class refer to MSRC’s blog post. Technical BackgroundI first stumbled upon the bug class while trying to exploit issue 779. This issue was a file TOCTOU which bypassed the custom font loading mitigation policy. The mitigation policy was introduced in Windows 10 to limit the impact of exploitable font memory corruption vulnerabilities. Normally it’d be trivial to exploit a file TOCTOU issue using a combination of file and Object Mana…