2 comments on “Analysis Of An Interesting Windows Kernel Change Mitigating Vulnerabilities In Some Security Products

  1. Hello there, I have a doubt regarding what you have described here.. you say the problem is when using buffered IO Method.. but here your example is using IRP->UserBuffer, which is only used if the method is NEITHER… and thats why you must not only the addresses but also the length of the data…

    When using buffered method, the IOManager do these checks for you on behalf… You will get an error if you call deviceIoControl for a buffered method IOCTL with an output buffer with that address.

  2. This is what most think that IRP->UserBuffer is only used by NEITHER I/O method which is not true. BUFFERED method does do some checks as I’ve explained as you can see the lack of size validation in older OS’s bypasses the address validation. So using BUFFERED method you can write to the output userbuffer.

Leave a Reply

Your email address will not be published. Required fields are marked *