Security researchers have discovered a new technique to bypass Kernel Address Space Layout Randomization (KASLR) in Windows 11, potentially weakening a critical security feature designed to prevent attackers from reliably locating kernel components in memory.
KASLR works by loading the kernel at a randomized memory address each time the system boots, making it difficult for attackers to predict where to target their exploits.
This randomization serves as a fundamental defense against memory corruption vulnerabilities that might otherwise be exploited to gain elevated system privileges.
.png
)
The newly documented bypass method leverages CPU cache timing differences to determine the location of ntoskrnl.exe, the core of the Windows operating system.
This technique is particularly concerning because it works even on fully updated Windows 11 systems, including the recent 24H2 update, which had specifically patched previous methods of bypassing KASLR using NtQuerySystemInformation() functionality.
r0keb identified that the bypass technique exploits fundamental behavior in modern CPU architectures, specifically how processors handle memory caching.
In a detailed technical breakdown, r0keb demonstrated that the attack works by measuring access times to potential kernel memory addresses-with cached (valid) addresses responding significantly faster than uncached ones.
The researcher acknowledged that the method builds upon previous work by a researcher known as “exploits-forsale.”
Unlike previous bypass methods, this technique doesn’t require elevated privileges such as SeDebugPrivilege, making it accessible to attackers operating with limited system access.
This significantly expands the potential attack surface and could serve as a stepping stone for more sophisticated exploits targeting the Windows kernel.
Cache Side-Channel Implementation Details
The core of this bypass technique relies on speculative execution and prefetch side-channel attacks.
The implementation creates a sophisticated timing measurement system to detect which memory addresses are already cached by the CPU-a strong indication that those addresses are actively used by the kernel.
The attack specifically targets the address range between 0xfffff80000000000 and 0xfffff80800000000, where ntoskrnl.exe might be located due to KASLR constraints.
The central function of the exploit repeatedly measures access times to each potential address using careful CPU instruction sequencing with prefetchnta and prefetcht2 instructions, as shown in this key code snippet:-
prefetchnta byte ptr [r10]
prefetcht2 byte ptr [r10]
mfence
rdtscpThis sequence allows the exploit to measure precisely how long it takes to access each memory address.
After gathering timing data for all possible locations, the code performs statistical analysis to identify addresses with consistently faster access times, revealing the actual location of ntoskrnl.exe.
When tested on current Windows 11 systems, the technique successfully revealed the correct kernel base address without requiring elevated privileges, confirming its effectiveness against Microsoft’s latest security measures.
How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers
