Windows Admin-to-Kernel Elevation of Privilege (CVE-2024-21338)

2024-04-10 Hakai Security

https://hakaisecurity.io/cve-2024-21338-from-admin-to-kernel-through-token-manipulation-and-windows-kernel-exploitation/research-blog/

Thumbnail for Windows Admin-to-Kernel Elevation of Privilege (CVE-2024-21338)

Lazarus used CVE-2024-21338 through its FudModule rootkit to move from administrator privileges into the Windows kernel without bringing a separate vulnerable driver. The flaw in the built-in appid.sys AppLocker driver exposes the AipSmartHashImageFile function through IOCTL 0x22A018, allowing a crafted callback to change the KTHREAD PreviousMode field and enable kernel-memory reads and writes. The exploitation chain impersonates SYSTEM and LOCAL SERVICE tokens to access the AppID device, then uses the kCFG-compatible ExpProfileDelete function to decrement PreviousMode while avoiding SMEP and kCFG restrictions. Microsoft's February 2024 patch added an ExGetPreviousMode check to block user-mode calls from reaching the vulnerable callback path.

Related Reports

« Back