#windows
8 pages tagged with "windows"
infosec
- glaurung windows driver findings โ a running catalog of windows kernel-driver bugs found with glaurung, the binary-analysis toolkit โ what each bug is, how the tool surfaced it, and an honest read on why microsoft did or did not act on it.
- ioctlance: windows driver vulnerability detection โ symbolic execution and taint analysis for finding vulnerabilities in windows kernel drivers
- june 2026 patch tuesday: a patch-diff campaign โ reverse-engineering microsoft's record june 2026 patch tuesday: localizing the headline network and kernel cves, and two systemic observations (velocity-flag-gated fixes, and a reachability correction on the wormable tcp/ip rce)
- KovaPlusFltr.sys: an unprivileged kernel stack overflow in the ROCCAT Kova[+] HID filter driver โ glaurung surfaced an unbounded ioctl copy in a 2010 ROCCAT gaming-mouse filter driver: an attacker-controlled length copied into a fixed 3000-byte kernel stack buffer with no upper bound and no /GS cookie, overwriting the saved return address. unprivileged with a controlled kernel write, but reachable only when the Kova[+] mouse is present, which we reproduced in qemu by emulating the hardware the driver expects.
- live kernel-debugging windows drivers in qemu from linux (no windbg, no whpx, no exdi) โ a working recipe for breakpointing windows kernel drivers running in a qemu/kvm guest, driven entirely from a linux host over the qemu gdbstub. it sidesteps the usual windbg-over-kdnet/exdi and whpx pain: gdb attaches to the gdbstub directly, base+rva is resolved without pdbs, and the single rule that fixes "symbols resolve but my breakpoint never hits" is hardware breakpoints only. ends with a real captured ring-0 saved-rip overwrite.
- ndfltr.sys: a 32-bit offset+length wrap into a kernel OOB read โ glaurung found an integer-overflow-before-bounds-check in the windows NetworkDirect filter driver: a 32-bit (offset+length) validation that wraps while the use site applies the offset as a 64-bit addend, sending the source pointer ~4 GiB out of bounds. unprivileged on RDMA hosts, but a denial-of-service floor โ and one of three candidate sites was a false positive we caught before disclosing.
- NDKPing.sys: a NULL SystemBuffer deref you can blue-screen on demand โ glaurung flagged an ioctl dispatcher in the windows NDK diagnostic driver that loads Irp->AssociatedIrp.SystemBuffer and dereferences it without a null check. a METHOD_BUFFERED ioctl with zero-length input and output leaves SystemBuffer NULL, and every case body reads [NULL+0x28]. reproduced live as bugcheck 0x3B โ but it is admin-only, which is exactly why microsoft will not fix it.
- tcpip.sys Fse/port-tracker per-message length underflow (kernel OOB read, SEH-caught) โ a confirmed integer underflow in the windows tcp/ip Fse/port-tracker (WSL2 mirrored-networking) transport hands a ~4GB declared length to the MIDL/NDR decoder over a <32-byte buffer. the kernel out-of-bounds read executes on a live kernel but is caught by an RPC structured-exception handler; the one possible escalation (an info-leak to the peer) is refuted by static analysis. real but benign, on an opt-in surface.