Momigari: Overview of the latest Windows OS kernel exploits found in the wild

Boris Larin/Kaspersky

Momigari (red leaf hunting) is the Japanese tradition of searching for the most beautiful leaves in autumn.

In the space of just one month in the autumn of 2018, we found a number of zero-day exploits in the wild for the Microsoft Windows operating system. Two of them were for the newest and fully updated Windows 10 RS4, which until then had no known memory corruption exploits.

We also uncovered exploits for vulnerabilities that had been unintentionally fixed with security updates, but which had been unpatched zero-days for a long time leading up to that. These findings shows that exploit writers continue to find new ways to reliably exploit unstable vulnerabilities and bypass modern mitigation techniques for the most secure operating system.

The most interesting thing is that many of these exploits are related. This suggests that the masterminds behind them are not afraid of wasting a number of zero-days at a time because their armory is full.

In this presentation, we will look at multiple local privilege escalation exploits actively used in the wild and tied into a single framework that was not previously known.

This advanced framework shows signs of maturity: the highest standards of code development and a deep technical knowledge of Windows OS inner workings, observed from the shellcodes that are used in the exploits.

In this presentation, we will share the following:

  • - An in-depth analysis of the framework that was used for the zero-day exploit development
  • - An in-depth analysis of vulnerabilities used by attackers

The interesting techniques that were used to bypass exploit mitigation mechanisms.

November 7 at 16:10 - 16:40, Stage A

Boris Larin is a Senior Malware Analyst in the Heuristic Detection and Vulnerability Research team at Kaspersky Lab. Boris is very passionate about reverse engineering and has been doing it for the last decade, performing vulnerability research on software for different CPU architectures and systems. In his current role, Boris is responsible for detecting exploits using modern antivirus technologies. Besides that, Boris is the author of educational materials for Kaspersky Academy, and his latest write-ups about zero-day exploits and the inner workings of commonly exploited software can be found on Securelist.com.