A critical vulnerability in Windows Kernel-Mode Drivers has been exposed with the release of a Proof-of-Concept (PoC) exploit, allowing attackers to escalate privileges to SYSTEM level.
The vulnerability, identified as CVE-2024-35250, affects various versions of Windows, including Windows 11 and Windows Server editions.
The flaw is described as a Windows Kernel-Mode Driver Elevation of Privilege Vulnerability, which an attacker can exploit to gain elevated privileges on a compromised system.
This vulnerability is particularly concerning as it allows attackers to bypass security measures and execute arbitrary code with SYSTEM privileges.
Analyse Any Suspicious Files With ANY.RUN: Intergarte With You Security Team -> Try for Free
The vulnerability was first highlighted in a detailed blog post by DEVCORE, a cybersecurity research firm, which delved into the attack surface of Windows Kernel Streaming.
The researchers identified several vulnerabilities, including CVE-2024-35250, which was used in the Pwn2Own Vancouver 2024 event to successfully compromise Windows 11.
The PoC exploit on GitHub demonstrates how an attacker can exploit the vulnerability to achieve arbitrary code execution with SYSTEM privileges.
The exploit leverages a logical bug in the Kernel Streaming service, specifically in the handling of `IOCTL_KS_PROPERTY` requests.
By manipulating the `RequestorMode` field in the IRP, an attacker can bypass security checks and execute arbitrary code.
The vulnerability is attributed to an oversight in the Kernel Streaming architecture, which allows an attacker to perform arbitrary `IOCTL_KS_PROPERTY` operations.
This can be achieved by using the `KSPROPERTY_TYPE_UNSERIALIZESET` flag, which allows an attacker to operate on multiple properties through a single call.
By exploiting this flaw, an attacker can gain control over the system and execute arbitrary code with elevated privileges.
The release of the PoC exploit highlights the urgency of patching vulnerable systems. Microsoft has already issued a security update to address the vulnerability, and users are advised to update their systems as soon as possible to prevent exploitation.
In light of this development, cybersecurity experts are emphasizing the importance of keeping systems up-to-date and implementing robust security measures to prevent such attacks.
The vulnerability has been present in Windows systems for nearly 20 years, making it a critical issue that requires immediate attention.
Users are advised to update their systems to the latest version to prevent exploitation of this vulnerability. The PoC exploit serves as a reminder of the importance of staying vigilant and proactive in addressing security vulnerabilities.
How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)