Cyber Security News

New Windows 11 Vulnerability Lets Attackers Elevate Privileges

A new vulnerability has been discovered in Windows 11, specifically affecting the 23H2 version.

This vulnerability is identified in the ksthunk.sys driver, allows attackers to exploit an integer overflow in the CKSAutomationThunk::ThunkEnableEventIrp function to escalate their privileges on the system.

Technical Details

The flaw was highlighted during the TyphoonPWN 2024 event, where an independent security researcher successfully demonstrated an exploit that secured them second place in the competition.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

The vulnerability resides in the Kernel Streaming Service’s handling of 32-bit processes on a 64-bit system. Below is an excerpt of the critical portion of the code:

__int64 __fastcall CKSAutomationThunk::ThunkEnableEventIrp(__int64 a1, PIRP a2, __int64 a3, int *a4) {
  …
  outlen_adjust = (outbuflen + 0x17) & 0xFFFFFFF8;
  …
  a2->AssociatedIrp.MasterIrp = (struct _IRP *)ExAllocatePool2( 0x61i64, outlen_adjust + (unsigned int)inbuflen, 1886409547i64);
  …
  if ((unsigned int)outbuflen > 0x10)
    memmove((void *)(data + 0x20), (char *)a2->UserBuffer + 16, outbuflen - 16);
  …
}

According to the SSD report, the specific function ThunkEnableEventIrp improperly handles buffer length calculations, leading to a potential integer overflow.

At the core of the issue is the calculation of outlen_adjust, which is derived from the output buffer length plus a constant, realigned for memory allocation.

Due to the lack of overflow validation, this results in a scenario where a smaller than necessary buffer is allocated, leading to a heap overflow when data is subsequently copied into this buffer.

This heap overflow occurs in the non-paged pool, where specially crafted named pipe techniques can be utilized to exploit the vulnerability further.

By controlling the allocation size and data, attackers can achieve arbitrary read and write capabilities, a crucial step in privilege escalation attacks.

The exploitation process involves several steps:

  1. Memory Spraying: Fill memory with specific patterns using named pipes to predictably allocate system memory.
  2. Trigger Vulnerability: Use the identified flaw to cause a heap overflow, affecting adjacent memory objects like named pipes.
  3. Arbitrary Read and Write: Leverage the memory corruption to gain unauthorized memory access, potentially modifying system-level data structures.
  4. Escalate Privileges: By overwriting tokens in the process’s memory, an attacker can elevate their permissions to those of the SYSTEM account, granting full control over the affected system.

Despite the critical nature of this vulnerability, the vendor’s response has been somewhat ambiguous.

They acknowledged the vulnerability but classified it as a duplicate of a previously fixed issue.

However, during testing on the latest version of Windows 11, the vulnerability was still reproducible, raising concerns about the efficacy of the patching process.

This vulnerability highlights the ongoing challenges in ensuring system security, especially in complex operating system environments like Windows 11.

Users and administrators are advised to apply all available security updates from Microsoft promptly and to remain vigilant for any further advisories concerning this issue.

Meanwhile, security researchers continue to stress the importance of thorough validation in input handling, especially in kernel-level code, to prevent such vulnerabilities from arising.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems across…

5 hours ago

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21 popular…

5 hours ago

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its focus…

5 hours ago

RomCom RAT Targets UK Organizations Through Compromised Customer Feedback Portals

The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu, has…

5 hours ago

Hackers Use Pahalgam Attack-Themed Decoys to Target Indian Government Officials

The Seqrite Labs APT team has uncovered a sophisticated cyber campaign by the Pakistan-linked Transparent…

6 hours ago

LUMMAC.V2 Stealer Uses ClickFix Technique to Deceive Users into Executing Malicious Commands

The LUMMAC.V2 infostealer malware, also known as Lumma or Lummastealer, has emerged as a significant…

6 hours ago