You could change the URL of the image, and get any file off the system to download as long as the service account had read access.
Invaluable XP, and really glad everything was behind AD authentication and internal users were trustworthy enough and operating in a network isolated context.
Things used to be distributed with .htaccess files, but only apache uses them and so that got offloaded on "blame the admin for not following documentation." Forgetting that nobody ever adds such to the docs.
Nah, it's WordPress, or more specifically: the sorry state of its community plugins.
https://betanews.com/2004/02/13/windows-source-leak-traces-b...
I mean, it wasn't like the address space was all that large back then, anyhow.
How much of the core parts of the kernel do you think have been rewritten since?
Certainly it hasn't been 100% rewritten, that'd make no sense. But I'm not going to guess how much of it /has/ been rewritten because like you guessing, it'd be an uneducated one.
Does refactoring count as rewriting, though?
I've poked-around the NT kernels for XP, XPx64, Vista, 7 SP1, and Win10 22H2[1] in Ghidra as part of a personal quest to find out why my Intel motherboard's XHCI (USB) controller drops random mouse HID packets, and even though the overall structure noticeably changes between releases after zooming-in I'll eventually find the same familiar blocks of code or patterns-of-blocks-of-code all referencing each other like before... just with even more new layers of indirection added in each Windows release.
A good example of this is to compare the disassembly for ntosknrl before - and after - Microsoft added Virtualization-based-security and "Virtual Trust Levels" to the kernel (I forget the exact version, but I think sometime in 2017?): prior to that, Windows' kernel-mode handling of its USER-component's hardware IO (mouse, keyboard, etc) was still fairly recognizable compared to even Windows XP; but post-VTL I saw how the "useful" program-code for processing local user input is wrapped in massive amounts of redirection back-and-forth through the hypervisor when VTL is enabled - it left me feeling like they moved a mountain just for this one single, Enterprise-y, feature while accepting the runtime overhead of all the extra branches and virtual-calls going on (which are trivial and of no consequence on modern hardware); so while I can't fault anyone at MS on the kernel team for their approach, it's a reminder that progress does not come cheap - or without compromises.
I wonder if Microsoft wrapped all the indirection gubbins in #ifdefs to elide it all from their gaming-edition build of Windows 11 for their Steamdeck compete ("ROG Xbox Ally") - I'd like to poke around that OS at some point to see (or maybe they've gone all-in on hypervisor-based security because that's how the Xbox now works?)
[1] Remember kids, keep your own backups of pdb symbols! Microsoft doesn't offer ISO downloads of PDBs to match your install media; now they're all download-on-demand with no guarantees of future availability of symbols for any binaries shipping today: it means debug symbols are now ephemeral and will be highly treasured by collectors in the distant future.
Thanks for the confirmation. Realistically this is to be expected for a codebase like this.
2) The issue had nothing to do with the patch. It was a coincidence.
a) People avoiding the update because one part causes problems
b) A security fix they probably need is only in that update
And dealing with that, is a topic of conversation.
https://github.com/eigenform/perfect/blob/e5da0c693ba5d1b654...
.. and here's another example in the case of EntryBleed:
https://github.com/eigenform/perfect/blob/e5da0c693ba5d1b654...
Serious red team reports will just have a brief section like "then, we defeat KASLR with [technique]. Next..."
Seems like SystemTokenInformation might be a very new addition, possibly even Windows 11 only?
Checked a kernel from November 2024 vs a current one and from I can tell, this used to be the actual mechanism the exploit worked:
Thread #1 looping
NtQueryInformationToken(TokenAccessInformation, InfoBuffer);
Thread #2 looping
Ptr = *(InfoBuffer + SidHashOffset);
if (IsValidCanonicalKernelPtr(Ptr))
done
Jare•4mo ago
Ethee•4mo ago
It would seem this was patched in the Aug 12 security patch rollout.
Jare•4mo ago
MattSteelblade•4mo ago
twoodfin•4mo ago
If you have another exploit that will write bytes under the attacker’s control to an attacker-supplied kernel address, you will be able to do the Windows equivalent of escalate to root.
bri3d•4mo ago
So, it's not that this bug is a _bigger_ problem on Win11 24H2, it's that there were so many _other_ problems prior to Win11 24H2 that nobody would bother with this bug in the first place. You have nothing to worry about from being on Win11 24H2 specifically when it comes to this bug.
And:
This is an information leak bug. No danger exists in practice for anyone from this bug alone. It erodes one very weak layer to a defense-in-depth strategy. It could have been used as part of a chain of exploits to provide the attacker with information (the kernel slide) that they needed, but it just provides a meaningless memory address on its own.