New Windows 11 Vulnerability Lets Attackers Elevate Privileges

A new vulnerability has been discovered in Windows 11, specifically affecting the 23H2 version.

This vulnerability is identified in the ksthunk.sys driver, allows attackers to exploit an integer overflow in the CKSAutomationThunk::ThunkEnableEventIrp function to escalate their privileges on the system.

Technical Details

The flaw was highlighted during the TyphoonPWN 2024 event, where an independent security researcher successfully demonstrated an exploit that secured them second place in the competition.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

The vulnerability resides in the Kernel Streaming Service’s handling of 32-bit processes on a 64-bit system. Below is an excerpt of the critical portion of the code:

__int64 __fastcall CKSAutomationThunk::ThunkEnableEventIrp(__int64 a1, PIRP a2, __int64 a3, int *a4) {
  …
  outlen_adjust = (outbuflen + 0x17) & 0xFFFFFFF8;
  …
  a2->AssociatedIrp.MasterIrp = (struct _IRP *)ExAllocatePool2( 0x61i64, outlen_adjust + (unsigned int)inbuflen, 1886409547i64);
  …
  if ((unsigned int)outbuflen > 0x10)
    memmove((void *)(data + 0x20), (char *)a2->UserBuffer + 16, outbuflen - 16);
  …
}

According to the SSD report, the specific function ThunkEnableEventIrp improperly handles buffer length calculations, leading to a potential integer overflow.

At the core of the issue is the calculation of outlen_adjust, which is derived from the output buffer length plus a constant, realigned for memory allocation.

Due to the lack of overflow validation, this results in a scenario where a smaller than necessary buffer is allocated, leading to a heap overflow when data is subsequently copied into this buffer.

This heap overflow occurs in the non-paged pool, where specially crafted named pipe techniques can be utilized to exploit the vulnerability further.

By controlling the allocation size and data, attackers can achieve arbitrary read and write capabilities, a crucial step in privilege escalation attacks.

The exploitation process involves several steps:

1. Memory Spraying: Fill memory with specific patterns using named pipes to predictably allocate system memory.
2. Trigger Vulnerability: Use the identified flaw to cause a heap overflow, affecting adjacent memory objects like named pipes.
3. Arbitrary Read and Write: Leverage the memory corruption to gain unauthorized memory access, potentially modifying system-level data structures.
4. Escalate Privileges: By overwriting tokens in the process’s memory, an attacker can elevate their permissions to those of the SYSTEM account, granting full control over the affected system.

Despite the critical nature of this vulnerability, the vendor’s response has been somewhat ambiguous.

They acknowledged the vulnerability but classified it as a duplicate of a previously fixed issue.

However, during testing on the latest version of Windows 11, the vulnerability was still reproducible, raising concerns about the efficacy of the patching process.

This vulnerability highlights the ongoing challenges in ensuring system security, especially in complex operating system environments like Windows 11.

Users and administrators are advised to apply all available security updates from Microsoft promptly and to remain vigilant for any further advisories concerning this issue.

Meanwhile, security researchers continue to stress the importance of thorough validation in input handling, especially in kernel-level code, to prevent such vulnerabilities from arising.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar