Sunday, May 19, 2024

PoC Exploit Released For Windows Kernel EoP Vulnerability

Microsoft released multiple product security patches on their April 2024 Patch Tuesday updates.

One of the vulnerabilities addressed was CVE-2024-26218, associated with the Windows Kernel Privilege Escalation vulnerability, which had a severity of 7.8 (High). 

This vulnerability relates to a TOCTOU (Time-of-Check Time-of-Use)Race Condition that could be exploited.

Successful exploitation of this vulnerability could allow a threat actor to gain SYSTEM privileges.

This vulnerability existed in multiple versions of Windows 10, Windows 11, and Windows Server (2019, 2022). 

However, Microsoft has patched this vulnerability, and users are advised to update their Operating Systems accordingly.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Technical Analysis

A proof of concept for this vulnerability has been published in GitHub which consists of a DEF file, a EXP file, a LIB file and an SLN file.

Additionally, another folder was found on the repository, which had a C file, a VCXPROJ file, and a VCXPROJ filters file.

On investigating further, an explanation of this vulnerability was provided by the researcher who discovered this proof of concept.

The explanation suggests that this vulnerability exists due to a double fetch performed by the PspBuildCreateProcessContext function in Windows.

When creating a process, multiple attributes are created and provided to NtCreateUserProcess syscall via PS_ATTRIBUTE_LIST, an array of PS_ATTRIBUTE structures.

This list of attributes will reside in the user mode memory which are then processed by the PspBuildCreateProcessContext function.

As a matter of fact, this function contains a large number of scenarios for handling every attribute type it processes.

On looking deep into it, it was discovered that this PspBuildCreateProcessContext function performs a double-fetch of the Size field when handling the PsAttributeMitigationOptions and PsAttributeMitigationAuditOptions attribute types.

This is where the race condition exists in which the value of the Size field can be changed between the fetches that could potentially result in a stack buffer overflow.

Though this vulnerability has a proof of concept code in GitHub, there is no explanation of exploitation provided.

Windows 23H2 edition code (Source: Exploit for Sale)
Windows 24H2 Edition code (Source: Exploit for Sale)

Affected Products And Fixed In Versions

ProductFixed in Build Number
Windows 10 Version 22H2 for 32-bit Systems10.0.19045.4291
Windows 10 Version 22H2 for ARM64-based Systems10.0.19045.4291
Windows 10 Version 22H2 for x64-based Systems10.0.19045.4291
Windows Server 2022, 23H2 Edition (Server Core installation)10.0.25398.830
Windows 11 Version 23H2 for x64-based Systems10.0.22631.3447
Windows 11 Version 23H2 for ARM64-based Systems10.0.22631.3447
Windows 11 Version 22H2 for x64-based Systems10.0.22621.3447
Windows 11 Version 22H2 for ARM64-based Systems10.0.22621.3447
Windows 10 Version 21H2 for x64-based Systems10.0.19044.4291
Windows 10 Version 21H2 for ARM64-based Systems10.0.19044.4291
Windows 10 Version 21H2 for 32-bit Systems10.0.19044.4291
Windows 11 version 21H2 for ARM64-based Systems10.0.22000.2899
Windows 11 version 21H2 for x64-based Systems10.0.22000.2899
Windows Server 2022 (Server Core installation)10.0.20348.2402
Windows Server 202210.0.20348.2402
Windows Server 2019 (Server Core installation)10.0.17763.5696
Windows Server 201910.0.17763.5696
Windows 10 Version 1809 for ARM64-based Systems10.0.17763.5696
Windows 10 Version 1809 for x64-based Systems10.0.17763.5696
Windows 10 Version 1809 for 32-bit Systems10.0.17763.5696

It is recommended that users of these vulnerable versions upgrade to the latest versions to prevent threat actors from exploiting this vulnerability.

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo 


Latest articles

Hackers Exploiting Docusign With Phishing Attack To Steal Credentials

Hackers prefer phishing as it exploits human vulnerabilities rather than technical flaws which make...

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles