A customer reported a vulnerability in a kernel function,
let's call it
kfuncfunction doesn't validate any of
the pointers passed to it.
As a result, you can pass anything you want as the output pointer,
and it will blindly try to write to it.
If you pass null, you will crash the kernel.
Or if you pass a pointer to memory you want to corrupt,
you can corrupt an arbitrary 4-byte value.
Maybe I can find a way to pass an invalid parameter from user space
all the way down to the
Please contact us soon regarding this issue!
Okay, first things first.
In the first paragraph, there is no elevation.
kfunc function is callable only
from kernel mode.
The caller is in kernel mode,
and it is tricking a kernel mode function into writing to
an arbitrary memory location.
But so what?
The caller could just save itself the trouble of using
kfunc as the middle man and just corrupt the
In other words, instead of
you can just do
*crazy_pointer_value = 42;
This is even more powerful, because not only do you
get to corrupt the memory at
you even get to pick what value to corrupt it with!
Now, if there were a way to call the
with parameters controlled by user mode,
then you would be onto something.
Which leads us to the next paragraph,
which boils down to
"Maybe there is a way to call the
with parameters controlled by user mode."
In other words, the second paragraph says,
"Maybe I can find a vulnerability."
Yeah, maybe you can find a vulnerability.
Let us know if you do.
But so far, you haven't found a vulnerability.
All you've said is "Maybe there is somebody who is doing a bad thing."
"Industrial paper-cutting machines are dangerous and expensive.
We keep the paper-cutting machine in a special room,
and only people who have gone through training are allowed
in the room.
Maybe there is a way to get somebody who has access to the special room
to put an unauthorized object in the paper-cutting machine and damage it."
If you find such a person, let us know.
Because they're in a lot of trouble.
This post first appeared on MSDN Blogs | Get The Latest Information, Insights, Announcements, And News From Microsoft Experts And Developers In The MSDN Blogs., please read the originial post: here