Full Report
This post was originally written in 2016 for the Project Zero blog. However, in the end it was published separately in the journal PoC||GTFO issue #13 as well as in the second volume of the printed version. In honor of our new blog we’re republishing it on this blog and included an updated analysis to see if it still works on a modern Windows 11 system. During my Windows research I tend to find quite a few race condition vulnerabilities. A fairly typical exploitable form look something like this: Do some security check Access some resource Perform secure action
Analysis Summary
# Vulnerability: Race Condition Exploitation via Object Manager Path Lookups
## CVE Details
- CVE ID: N/A (The article discusses a technique discovered in 2016 and verified on modern systems, but no specific CVE is referenced for the general technique described.)
- CVSS Score: N/A
- CWE: CWE-362 (Concurrent Access of Shared Resource: Race Condition)
## Affected Systems
- Products: Windows (Implied; the technique targets the Windows NT Object Manager Namespace.)
- Versions: Original research targeted older versions (2016); updated analysis confirms viability up to **Windows 11 24H2** on Snapdragon X Elite hardware.
- Configurations: Any configuration where processes perform security-sensitive operations following an Object Manager path lookup that can be manipulated by a local attacker.
## Vulnerability Description
The vulnerability lies in exploiting the classic Windows race condition pattern: **Check $\rightarrow$ Access $\rightarrow$ Secure Action**. By controlling the resource being accessed during the lookup phase (Step 2), an attacker can drastically slow down the Object Manager Name System (OMNS) parsing process.
The technique involves constructing an extremely complex path using a large number of **Symbolic Links** and **Object Directory** entries, specifically designed to cause pathological performance degradation during lookup resolution. By creating hundreds of colliding entries and deeply nested symbolic links, the time taken for the kernel to resolve a resource path can be extended from microseconds to several minutes (e.g., 3 minutes on a modern test system, 19 minutes on older hardware). This massive time dilation effectively expands the extremely short race window, allowing an attacker to reliably win the race condition against the delayed security check or operation.
## Exploitation
- Status: **PoC available** (Proof-of-concept code for testing the delay mechanism is available on GitHub.)
- Complexity: **Medium**. While the ultimate goal is to exploit an *existing* time-of-check-to-time-of-use (TOCTOU) bug, this technique provides the necessary time window, making an otherwise unreliable exploit reliable. The setup complexity to create the path structure is high.
- Attack Vector: **Local**. The attacker must be able to create the necessary directory structures and links within the Object Manager Namespace before triggering the target operation.
## Impact
- Confidentiality: Potentially high (If used to elevate privileges or bypass access control checks).
- Integrity: Potentially high (If used to modify or replace resources before a secure operation confirms them).
- Availability: Low (Primarily affects the performance of the specific path lookup, potentially causing a temporary hang/Denial of Service during the lookup phase).
## Remediation
### Patches
- No specific CVE or patch is identified in the article associated with this generalized technique. The article suggests that Microsoft has not addressed this pathological input behavior, likely due to the complexity vs. impact trade-off in the Object Manager code path.
### Workarounds
- Implementations should **avoid creating security checks where the resource path is user-controlled and involves complex lookups** if the subsequent action grants privileges.
- Monitor for unusually long system calls related to object management or file system operations that might indicate path traversal exploitation.
## Detection
- **Indicators of Compromise**: Unusually high CPU utilization or process hangs correlated with object creation/access attempts, particularly involving long, deeply nested, or highly convoluted path names targeting the `\BaseNamedObjects` namespace or similar paths used by targeted applications.
- **Detection Methods and Tools**: Monitoring kernel-mode API calls related to Object Manager path traversal functions for execution times exceeding typical bounds (microseconds to milliseconds), searching for pathological naming structures (e.g., excessive symbolic links or directory collisions).
## References
- Vendor Advisories: None identified specific to this technique.
- Relevant links - defanged:
- Full test code: hxxps://github[.]com/tyranid/poc-gtfo-13-poc
- Original publication mention: PoC||GTFO issue #13
- Trapping virtual memory access discussion: hxxps://googleprojectzero[.]blogspot[.]com/2021/01/windows-exploitation-tricks-trapping[.]html