ITSEC Newsletter 2024-05-02

Back in October of 2023, RiskInsight published a blog post that caught my attention. The post explained A universal EDR bypass built in Windows 10, detailing a “bug” that allows a user to disable logging of certain ETW-TI events for a given process from user mode without the expected PPL requirement. As RiskInsight already explained this in detail, I will not be explaining background on how ETW-TI works under the hood. I will simply be building upon their blog post, with the aim of showing how I went from their post to a functional POC.

This blog post showcases a pretty old (2019) vulnerability I found in VirtualBox, which allowed a guest-to-host escape. I decided to post this as there are interesting educational & methodological takeaways that could be learned, especially for young researchers. I will walk you through my chain of thought, from the beginning until the end, showing my young self’s thinking process that led me to this finding. Note: In this post I will use a vulnerable version of VirtualBox’s source code (6.0.4).

The upcoming version of Windows 11, 24H2, is currently in public preview via the Windows Insider Program. This post covers the process of discovering multiple kernel vulnerabilities introduced in 24H2 and writing an exploit, including bypassing new hardening to kernel ASLR (KASLR). All the vulnerabilities described here are in the NT kernel itself (ntoskrnl.exe), in syscalls which may be called by any process, regardless of its privilege level or sandbox.