A critical use-after-free vulnerability called CVE-2024-38193 is found in the Windows driver afd.sys. It affects the Registered I/O (RIO) extension for Windows sockets and lets attachers take over the whole system remotely. The August 2024 Patch Tuesday update has addressed the vulnerability.
The flaw lies within the RIO component of the afd.sys driver, which is utilized to optimize socket programming by minimizing system calls.
The issue emerges due to a race condition between two functions, AfdRioGetAndCacheBuffer() and AfdRioDereferenceBuffer(). This condition can be exploited by malicious actors to access freed memory, potentially leading to privilege escalation.
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
Technical Analysis
The RIO extension facilitates efficient send and receive operations by allowing userland programs to register large buffers. However, the race condition between the mentioned functions can be triggered by manipulating the buffer registration and deregistration processes. This exploitation involves several intricate steps:
- Heap Spraying: Malicious users can fill the non-paged pool with fake RIOBuffer structures using named pipes, creating conditions ripe for exploitation.
- Triggering Use-After-Free: The exploit requires two threads—one for continuous buffer usage and another for buffer deregistration. If the race condition is successful, it results in entries in the cache pointing to freed RIOBuffer structures.
- Privilege Escalation: The exploit takes control over these structures, potentially overwriting critical kernel memory locations to gain NT AUTHORITYSYSTEM privileges.
The primary exploitation strategy involves crafting fake RIOBuffer structures within the non-paged pool. By creating concurrent threads, attackers can manipulate the afd.sys driver into using these freed structures, allowing them to perform arbitrary reads and writes.
“This ultimately enables privilege escalation. With the non-paged pool setup completed, we can trigger the use-after-free vulnerability.”
In order to trigger it, the exploit must create two concurrent threads. one that keeps using the registered buffers by issuing read/write requests and the other one that loops through all the registered buffers and tries to deregister them.” Exodus researcher said.
Microsoft has released a patch addressing this vulnerability. We strongly advise users and organizations to promptly apply the August 2024 security updates to mitigate potential exploitation risks. Administrators should also make sure that all systems are running updated antivirus software and set up to automatically apply security updates.
CVE-2024-38193 highlights the importance of timely patch management and vigilant system monitoring. While the vulnerability poses a significant risk, applying the latest security updates can effectively neutralize the threat.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar