Windows Admin-to-Kernel Elevation of Privilege (CVE-2024-21338)
2024-04-10 • Hakai Security •
Lazarus used CVE-2024-21338 through its FudModule rootkit to move from administrator privileges into the Windows kernel without bringing a separate vulnerable driver. The flaw in the built-in appid.sys AppLocker driver exposes the AipSmartHashImageFile function through IOCTL 0x22A018, allowing a crafted callback to change the KTHREAD PreviousMode field and enable kernel-memory reads and writes. The exploitation chain impersonates SYSTEM and LOCAL SERVICE tokens to access the AppID device, then uses the kCFG-compatible ExpProfileDelete function to decrement PreviousMode while avoiding SMEP and kCFG restrictions. Microsoft's February 2024 patch added an ExGetPreviousMode check to block user-mode calls from reaching the vulnerable callback path.