A critical security flaw in Windows 11 has been discovered, allowing attackers to gain elevated system privileges through an integer overflow vulnerability.
The exploit, which affects the ksthunk.sys driver was successfully demonstrated at the recent TyphoonPWN 2024 event, where it secured second place.
The vulnerability, found in the CKSAutomationThunk::ThunkEnableEventIrp function of ksthunk.sys, can be exploited by local attackers to gain elevated privileges in the Windows operating system.
This security issue is particularly concerning as it affects Windows 11 23H2, one of the latest versions of Microsoft’s flagship operating system, reads SSD Disclosure advisory.
The exploit takes advantage of an integer overflow that occurs during the calculation of buffer sizes. By manipulating input parameters, attackers can cause a heap overflow, which can then be leveraged to execute arbitrary code with system privileges.
Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.
Key aspects of the vulnerability include:
- Exploitation of the WOW handler for the Kernel Streaming Service
- Manipulation of buffer allocation and data copying processes
- Bypassing of memory protection mechanisms
Vendor Response and Patch Status
Despite the severity of the vulnerability, Microsoft’s response has been less than satisfactory. The company claimed that the issue was a duplicate and had already been fixed but did not provide specific patch information or a CVE number.
Alarmingly, security researchers reported that the vulnerability remained exploitable on the latest version of Windows 11 at the time of discovery, raising concerns about the effectiveness of Microsoft’s patching process.
This vulnerability highlights the ongoing challenges in maintaining the security of complex operating systems. Windows 11 users are potentially at risk, especially if the flaw remains unpatched or inadequately addressed.
Security experts advise users to:
- Keep their systems updated with the latest security patches
- Be cautious when running untrusted applications
- Monitor for any unusual system behavior
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar