A critical vulnerability has been discovered in Windows 11, specifically in the 23H2 version, that allows attackers to escalate their privileges. The flaw resides in the ksthunk.sys driver, particularly within the CKSAutomationThunk::ThunkEnableEventIrp function, which handles 32-bit processes on a 64-bit system. The issue stems from improper buffer length calculations, leading to an integer overflow. This oversight causes a heap overflow when data is copied into an inadequately sized buffer, ultimately giving attackers the ability to manipulate system memory.
This vulnerability enables attackers to gain unauthorized read and write access to memory, a critical step in privilege escalation attacks. By leveraging named pipe techniques, attackers can manipulate memory allocation, causing a heap overflow that corrupts adjacent memory objects. This process allows for the arbitrary modification of system-level data structures, granting attackers the ability to overwrite tokens in memory, elevating their privileges to those of the SYSTEM account. As a result, attackers can gain full control over the affected system, putting sensitive data and critical infrastructure at risk.
The vulnerability was highlighted during the TyphoonPWN 2024 event, where a security researcher demonstrated its exploit successfully. Despite Microsoft acknowledging the issue, their response has been unclear, with the company classifying the flaw as a duplicate of a previously addressed problem. However, tests conducted on the latest version of Windows 11 show that the vulnerability remains reproducible, raising concerns about the effectiveness of Microsoft’s patching process and the potential for further exploitation.
Given the severity of this vulnerability, security experts are urging all Windows 11 users to apply the latest security patches from Microsoft immediately. The flaw underscores the ongoing challenges in securing complex operating system environments, particularly at the kernel level. As attackers continue to evolve their techniques, it is critical for both users and administrators to stay vigilant, apply updates promptly, and implement best practices for system security to protect against such privilege escalation vulnerabilities.
