SceneLog
Defeating magic by magic:Using ALPC security features to compromise RPC services

Defeating magic by magic:Using ALPC security features to compromise RPC services

S32 · E7 August 9, 2024

Free on SceneLog — log in or create an account to track it.

Overview

Advanced Local Procedure Call (ALPC) is a Windows kernel Inter Process Communication method, which has recently seen numerous vulnerabilities related to TOCTOU file operations and memory corruption. Despite Windows' security measures, we identified a flaw in the ALPC security mechanism that allowed unauthorized users to gain system privileges. In this talk, we will overview ALPC and RPC communication mechanisms, including the marshal/unmarshal process and kernel security in ALPC syscalls. We’ll analyze historical bugs, detail the vulnerability we discovered, and demonstrate exploitation methods. Finally, we’ll share insights on this attack surface and offer tips on finding similar bugs

Comments

Be the first to comment.

Leave a comment

Your email won't be published. Comments are reviewed before they appear.