{"id":91,"date":"2017-03-19T13:11:00","date_gmt":"2017-03-19T13:11:00","guid":{"rendered":"https:\/\/piratesecurityblog.com\/?p=91"},"modified":"2021-12-29T11:13:50","modified_gmt":"2021-12-29T11:13:50","slug":"transaction-manager-vulnerability","status":"publish","type":"post","link":"https:\/\/piratesecurityblog.com\/?p=91","title":{"rendered":"Transaction Manager Vulnerability In Windows"},"content":{"rendered":"\n<p>Set up:<br>The exploit is triggered by creating a pipe. A read-write named pipe to be exect.<br>We need to create transaction manager objects, tons of enlistment objects, transaction objects and resource manager objects. The KTM notifies the resource manager about any state change.<br>The enlistment object connects between resource manager and transaction manager<br>Then all the changes are committed during the transaction<\/p>\n\n\n\n<p>Corrupting data:<br>We create four threads and over a single cpu core. first thread calls Another thread calls NtQueryInformationThread in a loop, second thread execute NtRecoverResourceManager in a loop and the third thread calls tons of time to NtQueryInformationResourceManager. Call the function during writefile on the previously created named pipe<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Set up:The exploit is triggered by creating a pipe. A read-write named pipe to be exect.We need to create transaction manager objects, tons of enlistment objects, transaction objects and resource manager objects. The KTM notifies the resource manager about any state change.The enlistment object connects between resource manager and transaction managerThen all the changes are &hellip; <a href=\"https:\/\/piratesecurityblog.com\/?p=91\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Transaction Manager Vulnerability In Windows<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/91"}],"collection":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=91"}],"version-history":[{"count":3,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/91\/revisions"}],"predecessor-version":[{"id":109,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/91\/revisions\/109"}],"wp:attachment":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=91"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=91"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=91"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}