New Windows 11 Integer Overflow Vulnerability Grants Privilege Escalation

A critical integer overflow vulnerability in Windows 11's ksthunk.sys driver allows local attackers to escalate privileges to SYSTEM-level access. Discovered during the TyphoonPWN 2024 event, this flaw remains exploitable even after Microsoft's acknowledgment, posing a significant security risk for users on Windows 11 23H2.

New Windows 11 Integer Overflow Vulnerability Grants Privilege Escalation

 New Windows 11 Integer Overflow Vulnerability Lets Attackers Elevate Privileges

A recently discovered security vulnerability in Windows 11 has raised significant concerns, as it allows attackers to escalate their privileges and gain SYSTEM-level access. This critical flaw resides in the ksthunk.sys driver, specifically in the CKSAutomationThunk::ThunkEnableEventIrp function, affecting the 23H2 version of Windows 11. SSD Secure Disclosure Advisory:

The vulnerability, which was first identified at the TyphoonPWN 2024 event, has the potential to allow a local attacker to manipulate system memory and gain elevated privileges. The exploit, which secured second place at the competition, demonstrated how attackers could bypass security mechanisms to execute arbitrary code with SYSTEM privileges.

Technical Overview of the Vulnerability

The vulnerability stems from an integer overflow in the ksthunk.sys driver, which is responsible for managing the Kernel Streaming Service (KSS) in Windows. The flaw specifically exists in the ThunkEnableEventIrp function, which is used when the system deals with 32-bit processes on a 64-bit system.

Technical Analysis

The ksthunk.sys driver is part of the Kernel Streaming Service (KSS), which facilitates the handling of 32-bit processes in a 64-bit environment. The vulnerable function, ThunkEnableEventIrp, is triggered when the ioctl number 0x2F0007 is called. This function involves buffer size calculations and memory allocation which are critical to the exploitation of the vulnerability.

Here is the part of the function that contains the integer overflow vulnerability:

outlen_adjust = (outbuflen + 0x17) & 0xFFFFFFF8;

his calculation is supposed to adjust the output buffer length to align it to an 8-byte boundary. However, due to the lack of overflow validation, the outlen_adjust value can become very small, which leads to improper memory allocation.

Subsequent memory validation checks ensure that buffer sizes are valid, but due to the overflow, these checks are bypassed, and memory is incorrectly allocated. This leads to a heap overflow condition, where memory regions are overwritten. The overflow occurs when data is copied into the allocated buffer at

memmove((void *)(data + 0x20), (char *)a2->UserBuffer + 16, outbuflen - 16);

Exploitation Details

To successfully exploit this vulnerability, an attacker must trigger the overflow condition and overwrite system memory. This process typically involves two obstacles:

  1. Memory Allocation Constraints: The ProbeForRead function checks if the user buffer is large enough for the required operation, and while this check seems to validate buffer length, it does not adequately check the buffer’s size, allowing the overflow to be triggered. This is how attackers can bypass the ProbeForRead check:

VOID ProbeForRead(ULONG_PTR Address, SIZE_T Length, ULONG Alignment) {
    if ((Length) != 0) {
        if ((Address & (Alignment - 1)) != 0) {
            ExRaiseDatatypeMisalignment();
        }
        if ((Address + Length - 1) < Address || (Address + Length - 1) > MM_USER_PROBE_ADDRESS) {
            ExRaiseAccessViolation(); 
        }
    }
}

  • The buffer size check is bypassed because the function checks the memory address, not the allocated size. This allows the overflow to occur even when the buffer size exceeds the expected value.

  • Copying Data Without Proper Size Check: During the copy process, the buffer's size is potentially too large. By causing a user memory fault exception, the attacker can stop the copy process and control where the overflow occurs, as shown in the following illustration:

a2->UserBuffer
+======================================
| ...... Buffer ....... | Unmapped Memory
+======================================
---------------------->| Copying until here
Kernel Memory
+======================================
| Allocated Mem | Next Memory  ...  | 
+======================================

The attacker can craft a memory layout that causes a memory fault, effectively controlling the copy operation and leading to the heap overflow at the desired location.

Exploit Execution

To exploit the heap overflow, an attacker can use the Named-Pipe technique, a reliable method for manipulating non-paged pool memory. The process involves spraying named pipe objects and creating a hole between them. Here's a brief outline of the exploit process:

  1. Memory Spraying: The attacker sprays 0x1000 size named-pipe objects, ensuring that there is a predictable gap between them.

  2. Trigger the Overflow: By triggering the Out-of-Bounds (OOB) vulnerability, the attacker overwrites adjacent memory regions and controls the heap layout.

  3. Arbitrary Read/Write: The attacker can then exploit the heap overflow to perform arbitrary memory read and write operations, including obtaining the system’s token address and exploiting arbitrary write primitives to overwrite the token with SYSTEM privileges.

Here is how an arbitrary write is triggered:

// Arbitrary write by manipulating IoStatus
irp->IoStatus.Status = 0;
irp->UserIosb = desired address;  // Overwrite with a controlled address

By overwriting the token associated with the current process, the attacker can escalate privileges to SYSTEM level, gaining full control over the compromised system.

Vendor Response and Patch Status

Despite the critical nature of this vulnerability, Microsoft’s response has been somewhat ambiguous. The company initially claimed that the issue was a duplicate of a previously reported vulnerability and had already been addressed. However, when security researchers tested the latest version of Windows 11 (23H2), they found that the vulnerability remained exploitable, even after the supposed patch was applied.

This has raised concerns about the effectiveness of Microsoft's patching process and the company's ability to address such critical vulnerabilities in a timely manner.

While Microsoft has yet to provide detailed patch information or a CVE number for the issue, security experts emphasize the need for users and administrators to remain vigilant and apply any available updates from Microsoft promptly.

Impact and Recommendations

This vulnerability is a prime example of the ongoing challenges in securing complex operating systems like Windows 11. Kernel-level vulnerabilities are particularly dangerous, as they allow attackers to bypass most security mechanisms and gain full control of a system.

Recommendations for Windows 11 Users:

  • Update Windows 11: Ensure that your system is fully updated with the latest patches from Microsoft. If you haven't yet received an update, check for the latest security patches manually.
  • Monitor System Behavior: Look out for unusual system behavior or crashes that could indicate an attack.
  • Be Cautious with Untrusted Applications: Only run applications from trusted sources to reduce the risk of exploitation.
  • Enable Windows Defender: Ensure Windows Defender or another trusted antivirus solution is running to provide an additional layer of security.

Conclusion

This integer overflow vulnerability in Windows 11 is a serious concern for both individual users and enterprise environments. While Microsoft’s initial patching response has been lackluster, it’s crucial for users to stay on top of the latest security updates. As this vulnerability remains exploitable, the importance of timely patching and proactive security measures cannot be overstated.

Security experts continue to urge Microsoft to provide clear and effective solutions for this flaw. Until then, users should remain cautious and ensure that all relevant updates are applied to mitigate the risk.