A new vulnerability has been discovered in Windows 11, specifically affecting the 23H2 version.
This vulnerability is identified in the ksthunk.sys driver, allows attackers to exploit an integer overflow in the CKSAutomationThunk::ThunkEnableEventIrp function to escalate their privileges on the system.
The flaw was highlighted during the TyphoonPWN 2024 event, where an independent security researcher successfully demonstrated an exploit that secured them second place in the competition.
Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.
The vulnerability resides in the Kernel Streaming Service’s handling of 32-bit processes on a 64-bit system. Below is an excerpt of the critical portion of the code:
__int64 __fastcall CKSAutomationThunk::ThunkEnableEventIrp(__int64 a1, PIRP a2, __int64 a3, int *a4) {
…
outlen_adjust = (outbuflen + 0x17) & 0xFFFFFFF8;
…
a2->AssociatedIrp.MasterIrp = (struct _IRP *)ExAllocatePool2( 0x61i64, outlen_adjust + (unsigned int)inbuflen, 1886409547i64);
…
if ((unsigned int)outbuflen > 0x10)
memmove((void *)(data + 0x20), (char *)a2->UserBuffer + 16, outbuflen - 16);
…
}According to the SSD report, the specific function ThunkEnableEventIrp improperly handles buffer length calculations, leading to a potential integer overflow.
At the core of the issue is the calculation of outlen_adjust, which is derived from the output buffer length plus a constant, realigned for memory allocation.
Due to the lack of overflow validation, this results in a scenario where a smaller than necessary buffer is allocated, leading to a heap overflow when data is subsequently copied into this buffer.
This heap overflow occurs in the non-paged pool, where specially crafted named pipe techniques can be utilized to exploit the vulnerability further.
By controlling the allocation size and data, attackers can achieve arbitrary read and write capabilities, a crucial step in privilege escalation attacks.
The exploitation process involves several steps:
Despite the critical nature of this vulnerability, the vendor’s response has been somewhat ambiguous.
They acknowledged the vulnerability but classified it as a duplicate of a previously fixed issue.
However, during testing on the latest version of Windows 11, the vulnerability was still reproducible, raising concerns about the efficacy of the patching process.
This vulnerability highlights the ongoing challenges in ensuring system security, especially in complex operating system environments like Windows 11.
Users and administrators are advised to apply all available security updates from Microsoft promptly and to remain vigilant for any further advisories concerning this issue.
Meanwhile, security researchers continue to stress the importance of thorough validation in input handling, especially in kernel-level code, to prevent such vulnerabilities from arising.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
Brinker, an innovative narrative intelligence platform dedicated to combating disinformation and influence campaigns, has been…
A recent investigation by cybersecurity researchers has uncovered a large-scale malware campaign leveraging the DeepSeek…
A recent malware campaign has been observed targeting the First Ukrainian International Bank (PUMB), utilizing…
A newly discovered malware, dubbed Trojan.Arcanum, is targeting enthusiasts of tarot, astrology, and other esoteric…
A sophisticated phishing campaign orchestrated by a Russian-speaking threat actor has been uncovered, revealing the…
A sophisticated malware campaign has compromised over 1,500 PostgreSQL servers, leveraging fileless techniques to deploy…
