HackSysTeam Windows Kernel Vulnerable Driver: Type Confusion Vulnerability Exploitation

Type confusion bug can be very powerful, with the potential to form the basis of 100% reliable exploits (as per Google Project Zero), more information available in What is good memory corruption

According to Common Weakness Enumeration (CWE) The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. When the program accesses the resource using an incompatible type, this could trigger logical errors because the resource does not have expected properties. In languages without memory safety, such as C and C++, type confusion can lead to out-of-bounds memory access.

While this weakness is frequently associated with unions when parsing data with many different embedded object types in C, it can be present in any application that can interpret the same variable or memory location in multiple ways.

This weakness is not unique to C and C++. For example, errors in PHP applications can be triggered by providing array parameters when scalars are expected, or vice versa. Languages such as Perl, which perform automatic conversion of a variable of one type when it is accessed as if it were another type, can also contain these issues. More information about this bug in Hack All the things

We will used Hack Sys Extreme Vulnerable Driver as a demo for exploitation this bug, you can download vulnerable driver from here HackSysExtremeVulnerableDriver

As per below code, the #ifdef SECURE block is properly setting 'Callback' member of the structure before passing the pointer to function as parameter whereas #else block does not do so and it leads to vanilla type confusion vulnerability



Click here to get the source code



Device Input and Output Control (IOCTL)

The DeviceIoControl function provides a device input and output control (IOCTL) interface through which an application can communicate directly with a device driver. The DeviceIoControl function is a general-purpose interface that can send control codes to a variety of devices. Each control code represents an operation for the driver to perform.Click here to get more information

Since the driver is open source, you can find IOCTL code in mentioned link, if source code is not available we need to perform reverse engineer on the driver to get the IOCTL code to trigger the bug.

For type confusion vulnerability, we have IOCTL code as per below



Let's decode IOCTL manually