Defeating magic by magic:Using ALPC security features to compromise RPC services
Free on SceneLog — log in or create an account to track it.
Overview
Advanced Local Procedure Call (ALPC) is a Windows kernel Inter Process Communication method, which has recently seen numerous vulnerabilities related to TOCTOU file operations and memory corruption. Despite Windows' security measures, we identified a flaw in the ALPC security mechanism that allowed unauthorized users to gain system privileges. In this talk, we will overview ALPC and RPC communication mechanisms, including the marshal/unmarshal process and kernel security in ALPC syscalls. We’ll analyze historical bugs, detail the vulnerability we discovered, and demonstrate exploitation methods. Finally, we’ll share insights on this attack surface and offer tips on finding similar bugs
Comments
Be the first to comment.
Leave a comment
Your email won't be published. Comments are reviewed before they appear.