KASLR is broken anyway, at least on x86, even with KPTI (a Linux feature to mitigate Meltdown) enabled. See https://www.willsroot.io/2022/12/entrybleed.html, which still runs fine (with some modifications depending on the microarchitecture) on the latest AMD and Intel hardware that we've checked.
I find myself thinking "wow, what an obvious bug. How did Microsoft not catch that?" but then I think back to some of my own extremely obvious bugs. Thankfully my code is much lower impact.
btreecat · 2h ago
I still think of the lessons learned from a root traverse bug I accidentally coded into one of our internal apps as a jr dev.
You could change the URL of the image, and get any file off the system to download as long as the service account had read access.
Invaluable XP, and really glad everything was behind AD authentication and internal users were trustworthy enough and operating in a network isolated context.
globular-toast · 1h ago
Yeah, having learnt very similar (if not the same) lessons myself the hard way I see great value in being able to fail badly, but with low stakes. I catch loads of bugs like these from jrs before they hit prod but I don't feel like they're learning the fundamentals of security like trust, sanitising inputs, least privilege etc.
lawlessone · 59m ago
sounds like how wordpress used to be. could explore all the folders and get any file of site with something like website.com/content/2010/
privatelypublic · 23s ago
That would be an incorrectly configured http server. Not wordpress.
Things used to be distributed with .htaccess files, but only apache uses them and so that got offloaded on "blame the admin for not following documentation." Forgetting that nobody ever adds such to the docs.
mkolassa · 1h ago
It’s interesting that the KB that patches this on Windows 11 (KB5063878) is the same one that was tied up in all the Phison SSD drama.
p_ing · 47m ago
1) Those patches address a wide range of issues, from bug fixes to feature additions, to security fixes. This is uninteresting.
2) The issue had nothing to do with the patch. It was a coincidence.
Jare · 3h ago
I went to check when the bug had been patched, and was left wanting. I however lack the expertise to really appreciate how much danger exists in practice, or for whom. I just know I do have Win11 24H2 and "This leak primitive is particularly useful for Windows versions 24H2 or later"
It would seem this was patched in the Aug 12 security patch rollout.
Jare · 1h ago
Wow thanks! I didn't even realize that was a link, it looks like just any other bold text in the page. It's weird this page would be published in Sept (if I understand correctly) and not mention the patch, but in any case that's good.
MattSteelblade · 2h ago
This type of exploit is useful as part of a chain of exploits; it defeats a defense-in-depth protection.
twoodfin · 2h ago
Specifically, it leaks a kernel address inside a security-sensitive structure, which is supposed to be unpredictable / unknowable because the layout of kernel memory is randomized.
If you have another exploit that will write bytes under the attacker’s control to an attacker-supplied kernel address, you will be able to do the Windows equivalent of escalate to root.
lysace · 2h ago
Random: Perhaps that full source code leak in 2004 actually helped harden the kernel, long term?
You could change the URL of the image, and get any file off the system to download as long as the service account had read access.
Invaluable XP, and really glad everything was behind AD authentication and internal users were trustworthy enough and operating in a network isolated context.
Things used to be distributed with .htaccess files, but only apache uses them and so that got offloaded on "blame the admin for not following documentation." Forgetting that nobody ever adds such to the docs.
2) The issue had nothing to do with the patch. It was a coincidence.
It would seem this was patched in the Aug 12 security patch rollout.
If you have another exploit that will write bytes under the attacker’s control to an attacker-supplied kernel address, you will be able to do the Windows equivalent of escalate to root.
https://betanews.com/2004/02/13/windows-source-leak-traces-b...
I mean, it wasn't like the address space was all that large back then, anyhow.