CVE-2024-6769 - DLL Hijacking and Activation Cache Poisoning Exploit in Windows 10, 11 and Windows Server 2016, 2019, 2022

Windows is arguably one of the most popular operating systems globally, and for good reason. It offers excellent functionality, ease of use, and familiarity. However, sometimes even the industry leader can have vulnerabilities. One such vulnerability is CVE-2024-6769.

CVE-2024-6769 is a recently discovered security flaw in Microsoft Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022. It is a dangerous vulnerability that allows an authenticated attacker with malicious intent to elevate their privileges from medium integrity process to high integrity process without the need for a User Account Control (UAC) prompt.

This long read post will take a deep dive into the technical aspects of this vulnerability, including code snippets, links to original references, and exploit details. Prepare to have your interest piqued as we take you through the intricate workings of this highly critical security bug.

DLL Hijacking and Activation Cache Poisoning

This vulnerability involves a combination of Dynamic Link Library (DLL) hijacking and activation cache poisoning, both common techniques used to escalate privileges in the Windows environment. These two processes involve manipulating the way Windows loads DLL files and the activation cache, a cache that stores information on installed applications.

DLL hijacking occurs when a Windows application is tricked into loading and executing a malicious DLL with the same name as one of the legitimate DLLs that the application depends on. Activation cache poisoning, on the other hand, affects the internal Windows components responsible for managing applications and components that need to be activated before use.

DLL Hijacking Example

To understand what DLL hijacking is, let's take a look at a simple code snippet that demonstrates the technique. In this example, the attacker creates a malicious DLL named example.dll.

#include <Windows.h>

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ulReason, LPVOID lpReserved)
{
    if (ulReason == DLL_PROCESS_ATTACH)
    {
        MessageBox(, "DLL Hijacked!", "Hijack", MB_ICONINFORMATION);
    }
    return TRUE;
}

When the attacker places this malicious example.dll in a directory where the target application has insecure DLL loading and directory search priority, the application inadvertently loads this malicious code instead of the intended, legitimate DLL. As a result, the attacker's payload, in this case, a simple MessageBox, is executed.

Activation Cache Poisoning Example

Activation cache poisoning is more complex but can be illustrated using a malicious COM object (a DLL with a few modifications). The attacker does the following steps:

Create a malicious COM object which includes a class factory

// AddClassFactoryToObjRefTable Function is called to poison the Activation Cache
rs = AddClassFactoryToObjRefTable(m_pUnkMarshaler, &dwThreadId);

Implement the object's MarshalInterface function

// Marshals the IMyInterface interface 
BOOL CMyMarshal::MarshalInterface(MarshalPacket* pPacket)
{
    ...
    // Poison the Activation Cache
    PoisonActivationCache();
    ...
}

Poison the activation cache using ICoCreateInstance and IReleaseStream

void PoisonActivationCache()
{
    // Prepare the Arguments
    ...
    
    // Call ICoCreateInstance to Poison the Activation Cache
    rs = pICoCreateInstance->raw_ICoCreateInstance(clsctx, NULL, x, y, iface, n);
    
    // Call IReleaseStream to Release Stream Object
    rs = pIReleaseStream->raw_IReleaseStream(pObjRefTable, dwThreadId);
}

Once poisoned, the activation cache will lead to the execution of attacker's payload each time the COM object is used by a target application.

Exploit Details and Mitigation

A full exploit for CVE-2024-6769 has not been made public. However, it is important to understand the associated risks, as exploitation can lead to unauthorized execution of code at a high privilege level.

To mitigate the vulnerability, it is crucial to run software as a standard user, rather than an administrator, to reduce the available attack surface. Additionally, Microsoft has released patches addressing this issue (see the links below). Ensure your systems are updated with the latest patches and security updates.

Original References & Useful Resources

1. Microsoft Security Response Center (MSRC) - CVE-2024-6769

2. National Vulnerability Database (NIST) - CVE-2024-6769

3. "Ten Process Injection Techniques" - by Adam Chester

Conclusion

CVE-2024-6769 is a critical security vulnerability impacting multiple Windows operating systems. Ensuring your systems are up-to-date with the latest security patches and following best practices like running software under standard user privileges can help protect against this and other similar threats. Always stay vigilant and keep your systems secure.

Timeline

Published on: 09/26/2024 21:15:07 UTC
Last modified on: 09/30/2024 12:46:20 UTC