This talk will cover the discovery and exploit development of the vulnerabilities. They are all caused by misconceptions and logic bugs when interacting with C:\Windows\Temp, no memory corruption involved at all. There is definitely lessons to be learned in product vulnerability management here, as both software vendors failed one attempt to release a version of the product that fixed the identified issues.

I will briefly go through some Windows exploit primitives such DLL-hijacking, named pipes, oplocks and directory junctions, as well as a new(?) technique of bypassing TOCTOC of multiple "checks" using a combination of directory junctions and oplocks.

Example of contents covered:

Snow Inventory Agent for Windows (CVE-2018-17778)
1. Vulnerability discovery (driver loaded from insecure location).
2. Verifying the vulnerability.
3. Exploiting the vulnerability using BYOVD (Bring You Own Vulnerable Driver).

F5 BigIP Edge Client for Windows (CVE-2021-23022)
1. Verifying an N-day vulnerability (CVE-2020-5896).
2. Exploiting N-day with DLL-hijacking.
3. Evaluating the fix.
4. Bypassing code signatures on CAB files.
5. Executing code using backdoored CAB files.
6. Executing code using oplocks and DLL-hijacking.
7. Evaluating the fix of the fix.
8. Bypassing the fix of the fix.
9. Evaluating the fix of the fix of the fix.