Hunting Windows Desktop Window Manager bugs for Privilege Escalation

 In the past few years, Windows win32k privilege escalation vulnerabilities have emerged in an endless stream. Researchers discovered new attack surfaces such as win32k Callback, DirectX, DirectComposition, etc. Even so, it's still difficult to discover new vulnerabilities inside win32k attack surface. Are there still other attack surfaces inside the windows graphics component?

Desktop Window Manager (DWM.EXE) is the compositing window manager in Microsoft Windows since Windows Vista that enables the use of hardware acceleration to render the graphical user interface of Windows. We found that this process has high privileges, users with low privileges can interact with the DWM process, which create a very large attack surface. However, there is not too much research on this attack surface. We found ten bugs inside the dwm process, all of these bugs were reported to Microsoft and got acknowledgements.

In this talk, I will first introduce the basic architecture of the Desktop Window Manager, and explain how low privileged users interact with the dwm process. I will also introduce the fuzzer we designed, and describe how to use fuzzing to find vulnerabilities in this attack surface. Later, I will disclose the five vulnerabilities we found, you will gain a better understanding of this attack surface. Finally, I'll make conclusion and share our opinions on this attack surface, and speculate on the future security of Desktop Window Manager process.

 

About the Presenter: WangJunjie Zhang

WangJunjie Zhang is a senior security researcher of Hillstone Network Security Research Institute. He graduated from ShangHai Ocean University and he is a former member of Tencent KeenLab. His work involved exploit development and bug hunting. He is currently focusing on Windows components and kernel security and he has reported many vulnerabilities to Microsoft and RedHat and received acknowledgements. He was also listed as a Microsoft Most Valuable Researcher from 2020 to 2022.

 

About the Presenter: Wenyue Li

Wenyue Li is a member of (ISC)². He has obtained various international professional certifications such as CISSP and DPO. He also obtained a large number of CVE numbers and received acknowledgements from Microsoft. His research interests include mobile security, APT virus analysis, OS vulnerability mining and fuzz testing.

 

About the Contributor: YiSheng He

YiSheng He is a member of OWASP, (ISC)², CSA and other organizations. He has obtained various international professional certifications such as CISSP, CCSK, OSCP, and participated in many open source security projects. He obtained a large number of CVE numbers and received acknowledgements from Microsoft, Apple and other companies. He also participated in many CTF competitions and with good rankings. His research interests include AIoT and WEB security.

Next
Next

[KEYNOTE]: The People vs. The Tools: Why Can't We All Just Get Along?