Quick take - A vulnerability in the ksthunk.sys file of the Windows operating system, specifically within the CKSAutomationThunk::ThunkEnableEventIrp function, has been identified as an Integer Overflow that could allow local attackers to gain elevated privileges, with concerns raised about the adequacy of the vendor’s response to the issue despite claims of a fix.

Fast Facts

A critical Integer Overflow vulnerability in ksthunk.sys allows local attackers to gain elevated privileges on Windows 11 version 23H2.
Demonstrated at TyphoonPWN 2024, the exploit showcased its severity, achieving second place in the competition.
The vendor claims the vulnerability is a duplicate of a previous issue and has a fix, but no timeline or CVE number has been provided, and recent tests show it remains exploitable.
Exploitation involves manipulating buffer lengths and memory allocation through named pipes, leading to heap overflow and potential system-level privilege escalation.
The article includes detailed technical analysis and references a GitHub document for further guidance on exploiting the vulnerability.

Significant Vulnerability in `ksthunk.sys`

A significant vulnerability has been identified in the ksthunk.sys file, specifically within the CKSAutomationThunk::ThunkEnableEventIrp function, which is part of the Windows operating system. This vulnerability is classified as an Integer Overflow, allowing a local attacker to exploit the issue to gain elevated privileges on affected systems, particularly Windows 11 version 23H2.

Demonstration and Discovery

The exploit was notably demonstrated at the TyphoonPWN 2024 event, where it achieved second place, showcasing its potential severity and impact. An independent security researcher is credited with both the discovery of this vulnerability and its demonstration, highlighting the critical role of external researchers in identifying security risks.

Vendor Response and Technical Analysis

While the vendor has stated that the vulnerability is a duplicate of a previously reported issue and claims to have implemented a fix, they did not provide a specific timeline for when the patch will be available. Despite these claims, recent testing indicates that the vulnerability remains exploitable in the latest version of Windows 11, raising concerns about the adequacy of the vendor’s response.

No CVE number or specific patch information has been released by the vendor regarding this issue, which further complicates the response for users and administrators seeking to mitigate risks. Technical analysis reveals that the vulnerability is linked to the WOW handler for the Kernel Streaming Service, responsible for enabling 32-bit processes.

Exploitation of the vulnerability involves manipulating buffer lengths and memory allocation, leading to a heap overflow. Specific conditions must be met for the vulnerability to be triggered, including the size of the input buffer and the nature of the calling process. Attackers can exploit the vulnerability by using named pipes to control allocation sizes and data, making the process relatively straightforward.

The steps involved in the exploitation include spraying named pipe objects, triggering the out-of-bounds vulnerability, and overwriting adjacent memory, which allows for arbitrary read and write operations. This capability enables attackers to manipulate system tokens, ultimately granting them system-level privileges.

The article detailing the vulnerability contains comprehensive technical descriptions of the exploit process, including code snippets and memory layout manipulations. Additionally, the researcher referenced a GitHub document for further guidance on exploiting the non-paged pool overflow, emphasizing the importance of addressing this vulnerability to prevent potential exploitation in real-world scenarios.

Original Source: Read the Full Article Here