I'm proud to release my first Google Chrome RCE derived from the most fascinating and mind bending exploit I have yet analyzed: CVE-2019-13720 Wizard Opium. This is a beautiful bug which I have crafted into an exploit bypassing ASLR, CFG and CET on Win10

@vxunderground 15 not 19 ;)

@sixtyvividtails I am talking here about a specific technique to obtain such a handle to a specific System process as a non admin user, normally this is globally impossible. What I wonder though is if this meets Microsoft criteria for a security boundary/elevation bug

A standard user is unable to obtain any process handle even with PROCESS_QUERY_LIMITED_INFO to any System integrity process regardless of which session it is in. It’s also unable to QI limited any process in another session regardless of integrity level. The process DACL in question locks all access (even query limited) to anyone but SYSTEM.

@trickster012 @sixtyvividtails @zodiacon @GabrielLandau These events do not trigger for process suspend or resume despite existing in EtwTi. They seem to be place holders.

@sixtyvividtails @zodiacon @GabrielLandau Checking the ring3 call stack from a ring0 kernel process creation callback seems like the only reliable way to do this that I can think of. Timing when the main thread is resumed woild be messy

@sixtyvividtails @zodiacon Brilliant insight thank you. So how is an application like Elastic populating its “created_suspended” bool field for its yara rules then? This field is criteria in various process hollowing rules from what I recall

@frodosobon @zodiacon If you NtQueryInformationThread the state of the single/main thread from a create process notification routine in the kernel, it will always return state 0 (initialized). Not running, waiting, suspended etc regardless of CREATE_SUSPENDED

@peterwintrsmith @shubakki I think the biggest weakness in Moneta though is false positives. A major feature that has always been needed is a JSON whitelist file where an operator or enterprise can design a profile of known false positives.

@peterwintrsmith @shubakki I’m very glad to hear this, I’ve been shocked lately to see people using Moneta on YouTube videos about reverse engineering and forensics (since when does our little underground community have this big mainstream presence)?

@shubakki @peterwintrsmith Great idea with NtContinue.

@peterwintrsmith 2 and 3 are an interesting touch on Gargoyle/SleepMask techniques. The issue is that all I have are the original alloc permissions and the current ones. Malware tends to always alloc RW initially then change it, so it is of limited value to a sleeper shellcode detection

@peterwintrsmith @ilove2pwn_ This change is already present, as I take it you’re referring to the ability to clone a process and nuke its working set to make its new image memory contents like unmodified?

@peterwintrsmith You’re referring to addresses that have been whitelisted by CFG? For example a hollowed part of a .text section where malware wrote itself and then marked its entry point as whitelisted for CFG before launching a new thread there? Or something else?

An example of a feature I considered including was a Chromium PartitionAlloc heap walker, as I had to code this tool separately to heap groom the Chrome UAF I wrote a few years ago. It seemed too niche of a feature to be worth implementing

@maxpl0it @0xocdsec @_manfp A beauty indeed

Great patch, thanks for making the pull request.