Leaking Kernel Memory from User Space Using NtQuerySystemInformation as a Low Priv User
I read an interesting blog (found below) on exploiting an Arbitrary Write NULL vulnerability which utilized NtQuerySystemInformation as a low privilege user to leak SYSTEM addresses/pointers (handle information). Finding this interesting, I turned to ASATA to see how prevalent this API call was in privilege attacks - extremely! Now I wanted to test this for myself, I wanted to see how a low privileged user could access kernel memory (handle/object data) from user space, using NtQuerySystemInformation and the SYSTEM_HANDLE_INFORMATION structure.
I used ASATA to search for some suitable called versions of NtQuerySystemInformation (either in CPP or C#), finally settling on a function found in Jean-Francois’s SharpHandler (found below). After creating my binary, I had a look at what MDE saw and interestingly enough, there was a benign warning for anomalous memory allocation "NtProtectVirtualMemory," but no alerts (possible detection opportunity for this kind of attack). Knowing that I hadn't imported this function, it looks like NtQuerySystemInformation calls NtProtectVirtualMemory to change memory permissions and allow access from user space to kernel memory. I tried to confirm this with WinDBG but it is almost unusable since upgrading to Windows 11 – buggy!
In the video I show you how I rapidly investigated the prevalence of this technique, quickly assembling a binary utilizing ASATA’s ability to search over a million offensive functions, show the results of my binary contrasted against ProcessHacker and then have a look at the binary in MDE's timeline.
Write Null (blog): https://wafzsucks.medium.com/hacksys-extreme-vulnerable-driver-arbitrary-write-null-new-solution-7d45bfe6d116
Listing Open Handles and Finding Kernel Object Addresses (Blog): https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/get-all-open-handles-and-kernel-object-address-from-userland
Undocumented SYSTEM_HANDLE_INFORMATION: https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/handle.htm
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam