CVE-2024-30088 | Windows kernel | AMW
| Vulnerability | CVE-2024-30088 |
|---|---|
| Type | Arbitrary Memory Write |
| Description | CVE-2024-30088 is a vulnerability in the Windows kernel function AuthzBasepCopyoutInternalSecurityAttributes. The flaw occurs during the copy of security attributes to user mode, which leads to a time-of-check-to-time-of-use (TOCTOU) race condition. |
| The Impact of the Bug | The vulnerability allows for an arbitrary write to memory, which can be exploited to escalate privileges or execute arbitrary code within the kernel. |
| How to detect if you have a vulnerable application to this attack vector? | Systems running vulnerable Windows versions where NtQueryInformationToken is used with the TokenAccessInformation class may be affected. |
| Exploitation | The exploit uses a racing thread to alter the buffer pointer before RtlCopyUnicodeString is called, allowing arbitrary memory write with controlled values. |
| Patch | The patch for CVE-2024-30088 involved updating the Windows kernel function AuthzBasepCopyoutInternalSecurityAttributes to use a kernel stack buffer.This ensures that the copying of security attributes occurs securely within the kernel, preventing the race condition that allowed for arbitrary memory writes. By copying the data to a secure kernel stack before transferring it back to user memory, the patch mitigates the potential for an attacker to exploit the vulnerability through a time-of-check-to-time-of-use (TOCTOU) race condition. |
| References | https://github.com/tykawaii98/CVE-2024-30088 https://github.com/NextGenPentesters/CVE-2024-30088 |