Monday, November 4, 2024
HomeCVE/vulnerabilityPoC Exploit Released For Windows Kernel EoP Vulnerability

PoC Exploit Released For Windows Kernel EoP Vulnerability

Published on

Malware protection

Microsoft released multiple product security patches on their April 2024 Patch Tuesday updates.

One of the vulnerabilities addressed was CVE-2024-26218, associated with the Windows Kernel Privilege Escalation vulnerability, which had a severity of 7.8 (High). 

This vulnerability relates to a TOCTOU (Time-of-Check Time-of-Use)Race Condition that could be exploited.

- Advertisement - SIEM as a Service

Successful exploitation of this vulnerability could allow a threat actor to gain SYSTEM privileges.

This vulnerability existed in multiple versions of Windows 10, Windows 11, and Windows Server (2019, 2022). 

However, Microsoft has patched this vulnerability, and users are advised to update their Operating Systems accordingly.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Technical Analysis

A proof of concept for this vulnerability has been published in GitHub which consists of a DEF file, a EXP file, a LIB file and an SLN file.

Additionally, another folder was found on the repository, which had a C file, a VCXPROJ file, and a VCXPROJ filters file.

On investigating further, an explanation of this vulnerability was provided by the researcher who discovered this proof of concept.

The explanation suggests that this vulnerability exists due to a double fetch performed by the PspBuildCreateProcessContext function in Windows.

When creating a process, multiple attributes are created and provided to NtCreateUserProcess syscall via PS_ATTRIBUTE_LIST, an array of PS_ATTRIBUTE structures.

This list of attributes will reside in the user mode memory which are then processed by the PspBuildCreateProcessContext function.

As a matter of fact, this function contains a large number of scenarios for handling every attribute type it processes.

On looking deep into it, it was discovered that this PspBuildCreateProcessContext function performs a double-fetch of the Size field when handling the PsAttributeMitigationOptions and PsAttributeMitigationAuditOptions attribute types.

This is where the race condition exists in which the value of the Size field can be changed between the fetches that could potentially result in a stack buffer overflow.

Though this vulnerability has a proof of concept code in GitHub, there is no explanation of exploitation provided.

Windows 23H2 edition code (Source: Exploit for Sale)
Windows 24H2 Edition code (Source: Exploit for Sale)

Affected Products And Fixed In Versions

ProductFixed in Build Number
Windows 10 Version 22H2 for 32-bit Systems10.0.19045.4291
Windows 10 Version 22H2 for ARM64-based Systems10.0.19045.4291
Windows 10 Version 22H2 for x64-based Systems10.0.19045.4291
Windows Server 2022, 23H2 Edition (Server Core installation)10.0.25398.830
Windows 11 Version 23H2 for x64-based Systems10.0.22631.3447
Windows 11 Version 23H2 for ARM64-based Systems10.0.22631.3447
Windows 11 Version 22H2 for x64-based Systems10.0.22621.3447
Windows 11 Version 22H2 for ARM64-based Systems10.0.22621.3447
Windows 10 Version 21H2 for x64-based Systems10.0.19044.4291
Windows 10 Version 21H2 for ARM64-based Systems10.0.19044.4291
Windows 10 Version 21H2 for 32-bit Systems10.0.19044.4291
Windows 11 version 21H2 for ARM64-based Systems10.0.22000.2899
Windows 11 version 21H2 for x64-based Systems10.0.22000.2899
Windows Server 2022 (Server Core installation)10.0.20348.2402
Windows Server 202210.0.20348.2402
Windows Server 2019 (Server Core installation)10.0.17763.5696
Windows Server 201910.0.17763.5696
Windows 10 Version 1809 for ARM64-based Systems10.0.17763.5696
Windows 10 Version 1809 for x64-based Systems10.0.17763.5696
Windows 10 Version 1809 for 32-bit Systems10.0.17763.5696

It is recommended that users of these vulnerable versions upgrade to the latest versions to prevent threat actors from exploiting this vulnerability.

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo 

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215...

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215...