Microsoft released multiple product security patches on their April 2024 Patch Tuesday updates.
One of the vulnerabilities addressed was CVE-2024-26218, associated with the Windows Kernel Privilege Escalation vulnerability, which had a severity of 7.8 (High).
This vulnerability relates to a TOCTOU (Time-of-Check Time-of-Use)Race Condition that could be exploited.
Successful exploitation of this vulnerability could allow a threat actor to gain SYSTEM privileges.
This vulnerability existed in multiple versions of Windows 10, Windows 11, and Windows Server (2019, 2022).
However, Microsoft has patched this vulnerability, and users are advised to update their Operating Systems accordingly.
Technical Analysis
A proof of concept for this vulnerability has been published in GitHub which consists of a DEF file, a EXP file, a LIB file and an SLN file.
Additionally, another folder was found on the repository, which had a C file, a VCXPROJ file, and a VCXPROJ filters file.
On investigating further, an explanation of this vulnerability was provided by the researcher who discovered this proof of concept.
The explanation suggests that this vulnerability exists due to a double fetch performed by the PspBuildCreateProcessContext function in Windows.
When creating a process, multiple attributes are created and provided to NtCreateUserProcess syscall via PS_ATTRIBUTE_LIST, an array of PS_ATTRIBUTE structures.
This list of attributes will reside in the user mode memory which are then processed by the PspBuildCreateProcessContext function.
As a matter of fact, this function contains a large number of scenarios for handling every attribute type it processes.
On looking deep into it, it was discovered that this PspBuildCreateProcessContext function performs a double-fetch of the Size field when handling the PsAttributeMitigationOptions and PsAttributeMitigationAuditOptions attribute types.
This is where the race condition exists in which the value of the Size field can be changed between the fetches that could potentially result in a stack buffer overflow.
Though this vulnerability has a proof of concept code in GitHub, there is no explanation of exploitation provided.
Affected Products And Fixed In Versions
Product | Fixed in Build Number |
Windows 10 Version 22H2 for 32-bit Systems | 10.0.19045.4291 |
Windows 10 Version 22H2 for ARM64-based Systems | 10.0.19045.4291 |
Windows 10 Version 22H2 for x64-based Systems | 10.0.19045.4291 |
Windows Server 2022, 23H2 Edition (Server Core installation) | 10.0.25398.830 |
Windows 11 Version 23H2 for x64-based Systems | 10.0.22631.3447 |
Windows 11 Version 23H2 for ARM64-based Systems | 10.0.22631.3447 |
Windows 11 Version 22H2 for x64-based Systems | 10.0.22621.3447 |
Windows 11 Version 22H2 for ARM64-based Systems | 10.0.22621.3447 |
Windows 10 Version 21H2 for x64-based Systems | 10.0.19044.4291 |
Windows 10 Version 21H2 for ARM64-based Systems | 10.0.19044.4291 |
Windows 10 Version 21H2 for 32-bit Systems | 10.0.19044.4291 |
Windows 11 version 21H2 for ARM64-based Systems | 10.0.22000.2899 |
Windows 11 version 21H2 for x64-based Systems | 10.0.22000.2899 |
Windows Server 2022 (Server Core installation) | 10.0.20348.2402 |
Windows Server 2022 | 10.0.20348.2402 |
Windows Server 2019 (Server Core installation) | 10.0.17763.5696 |
Windows Server 2019 | 10.0.17763.5696 |
Windows 10 Version 1809 for ARM64-based Systems | 10.0.17763.5696 |
Windows 10 Version 1809 for x64-based Systems | 10.0.17763.5696 |
Windows 10 Version 1809 for 32-bit Systems | 10.0.17763.5696 |
It is recommended that users of these vulnerable versions upgrade to the latest versions to prevent threat actors from exploiting this vulnerability.
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot