Мануал/Книга [HITB Amsterdam 2023] The Lost World of DirectComposition- Hunting Windows Desktop Window Manager Bugs

[weaver]

The Lost World of DirectComposition- Hunting Windows Desktop Window Manager Bugs

In the past few years, Windows win32k privilege escalation vulnerabilities have emerged in an endless stream. Researchers discovered new attack surfaces such as win32k Callback, DirectX, DirectComposition, etc. Even so, it’s still difficult to discover new vulnerabilities inside win32k attack surface. Are there still other attack surfaces inside the windows graphics component?

Desktop Window Manager (DWM.EXE) is the compositing window manager in Microsoft Windows since Windows Vista that enables the use of hardware acceleration to render the graphical user interface of Windows. We found that this process has high privileges, users with low privileges can interact with the DWM process, which create a very large attack surface. However, there’re not too much research on this attack surface. We found 10 bugs inside the dwm process, all of these bugs were reported to Microsoft and got acknowledgements.

In this talk, we will first introduce the basic architecture of the Desktop Window Manager, and explain how low privileged users interact with the dwm process. We will also introduce some special features found in the DWM process through reverse engineering, such as restart recovery, exception handling, etc. We will disclose some vulnerabilities we found, and you will gain a better understanding of this attack surface. Finally, we’ll make a conclusion and share our opinions on this attack surface, and also the speculation on the future security of the Desktop Window Manager process.

The Lost World of DirectComposition: Hunting Windows Desktop Window Manager Bugs - HITBSecConf2023 - Amsterdam

In the past few years, Windows win32k privilege escalation vulnerabilities have emerged in an endless stream. Researchers discovered new attack surfaces such as win32k Callback, DirectX, DirectComposition, etc. Even so, it’s still difficult to discover new vulnerabilities inside win32k attack...

conference.hitb.org

https://conference.hitb.org/files/hitbsecconf2023ams/materials/D1T1%20-%20The%20Lost%20World%20of%20DirectComposition-%20Hunting%20Windows%20Desktop%20Window%20Manager%20Bugs%20-%20Zhang%20WangJunjie,%20YiSheng%20He%20&%20Wenyue%20Li.pdf