- The bug resides in the
AppHashComputeImageHashInternal()
function, which could be invoked by sending an IOCTL with value0x22A018
to the device object named\\Device\Appid
. - The driver expects two pointers referenced from the IOCTL’s input buffer.
- This bug results in a powerful primitive, given that we have complete control of the instruction pointer and the data in the first argument via a callback.
- Based on the ACL present on the device object name, only the
LOCAL SERVICE
andAppIDSvc
users have enough permission to send the targetIoControlCode
. - The target driver,
appid.sys
, is not automatically loaded and requires sending an event to a specific AppLocker-related ETW provider.
What do you think?
It is nice to know your opinion. Leave a comment.