Thursday, December 12, 2024
HomeCVE/vulnerabilityNew Windows 11 Vulnerability Lets Attackers Elevate Privileges

New Windows 11 Vulnerability Lets Attackers Elevate Privileges

Published on

SIEM as a Service

A new vulnerability has been discovered in Windows 11, specifically affecting the 23H2 version.

This vulnerability is identified in the ksthunk.sys driver, allows attackers to exploit an integer overflow in the CKSAutomationThunk::ThunkEnableEventIrp function to escalate their privileges on the system.

Technical Details

The flaw was highlighted during the TyphoonPWN 2024 event, where an independent security researcher successfully demonstrated an exploit that secured them second place in the competition.

- Advertisement - SIEM as a Service

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

The vulnerability resides in the Kernel Streaming Service’s handling of 32-bit processes on a 64-bit system. Below is an excerpt of the critical portion of the code:

__int64 __fastcall CKSAutomationThunk::ThunkEnableEventIrp(__int64 a1, PIRP a2, __int64 a3, int *a4) {
  …
  outlen_adjust = (outbuflen + 0x17) & 0xFFFFFFF8;
  …
  a2->AssociatedIrp.MasterIrp = (struct _IRP *)ExAllocatePool2( 0x61i64, outlen_adjust + (unsigned int)inbuflen, 1886409547i64);
  …
  if ((unsigned int)outbuflen > 0x10)
    memmove((void *)(data + 0x20), (char *)a2->UserBuffer + 16, outbuflen - 16);
  …
}

According to the SSD report, the specific function ThunkEnableEventIrp improperly handles buffer length calculations, leading to a potential integer overflow.

At the core of the issue is the calculation of outlen_adjust, which is derived from the output buffer length plus a constant, realigned for memory allocation.

Due to the lack of overflow validation, this results in a scenario where a smaller than necessary buffer is allocated, leading to a heap overflow when data is subsequently copied into this buffer.

This heap overflow occurs in the non-paged pool, where specially crafted named pipe techniques can be utilized to exploit the vulnerability further.

By controlling the allocation size and data, attackers can achieve arbitrary read and write capabilities, a crucial step in privilege escalation attacks.

The exploitation process involves several steps:

  1. Memory Spraying: Fill memory with specific patterns using named pipes to predictably allocate system memory.
  2. Trigger Vulnerability: Use the identified flaw to cause a heap overflow, affecting adjacent memory objects like named pipes.
  3. Arbitrary Read and Write: Leverage the memory corruption to gain unauthorized memory access, potentially modifying system-level data structures.
  4. Escalate Privileges: By overwriting tokens in the process’s memory, an attacker can elevate their permissions to those of the SYSTEM account, granting full control over the affected system.

Despite the critical nature of this vulnerability, the vendor’s response has been somewhat ambiguous.

They acknowledged the vulnerability but classified it as a duplicate of a previously fixed issue.

However, during testing on the latest version of Windows 11, the vulnerability was still reproducible, raising concerns about the efficacy of the patching process.

This vulnerability highlights the ongoing challenges in ensuring system security, especially in complex operating system environments like Windows 11.

Users and administrators are advised to apply all available security updates from Microsoft promptly and to remain vigilant for any further advisories concerning this issue.

Meanwhile, security researchers continue to stress the importance of thorough validation in input handling, especially in kernel-level code, to prevent such vulnerabilities from arising.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

ConvoC2 – A Red Teamers Tool To Execute Commands on Hacked Hosts Via Microsoft Teams

A stealthy Command-and-Control (C2) infrastructure Red Team tool named ConvoC2 showcases how cyber attackers...

Cleo 0-day Vulnerability Exploited to Deploy Malichus Malware

Cybersecurity researchers have uncovered a sophisticated exploitation campaign involving a zero-day (0-day) vulnerability in...

GitLab Security Update, Patch for Critical Vulnerabilities

GitLab announced the release of critical security patches for its Community Edition (CE) and...

BadRAM Attack Breaches AMD Secure VMs with $10 Device

Researchers have uncovered a vulnerability that allows attackers to compromise AMD's Secure Encrypted Virtualization...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

ConvoC2 – A Red Teamers Tool To Execute Commands on Hacked Hosts Via Microsoft Teams

A stealthy Command-and-Control (C2) infrastructure Red Team tool named ConvoC2 showcases how cyber attackers...

Cleo 0-day Vulnerability Exploited to Deploy Malichus Malware

Cybersecurity researchers have uncovered a sophisticated exploitation campaign involving a zero-day (0-day) vulnerability in...

GitLab Security Update, Patch for Critical Vulnerabilities

GitLab announced the release of critical security patches for its Community Edition (CE) and...