CVE-2023-29360

Kernel Streaming Server -- MmProbeAndLockPages called with KernelMode on user MDL

Summary

Field	Value
Driver	`mskssrv.sys`
Vulnerability Class	MDL Handling
Vulnerable Build	`10.0.22621.1702` (KB5026372)
Fixed Build	`10.0.22621.1848` (KB5027231)
Exploited ITW	No

Affected Functions

FsAllocAndLockMdl
FsAllocateAndLock

Root Cause

The Kernel Streaming Service Proxy (mskssrv.sys) manages media streaming between user-mode applications and kernel-mode components. When a user-mode process requests streaming operations through the \Device\MSKSSRV device, the driver needs to lock user-supplied buffers into physical memory so they remain accessible during DMA transfers.

The problem sits in FsAllocAndLockMdl and FsAllocateAndLock. These functions build an MDL (Memory Descriptor List) from a user-supplied virtual address and then call MmProbeAndLockPages to validate and lock the pages. The critical mistake is the access mode parameter: the driver passes KernelMode instead of UserMode. When MmProbeAndLockPages receives KernelMode, it skips the check that verifies the virtual address range falls within user space. This means the caller can supply a kernel virtual address, and the function will happily lock those pages without objection.

The result is that a user-mode process can construct an MDL pointing at arbitrary kernel memory. The driver then performs read or write operations against that MDL, treating whatever kernel address the attacker specified as a legitimate streaming buffer.

AutoPiff categorizes this as mdl_handling with detection rules:

mdl_probe_access_mode_fix

Exploitation

An attacker opens a handle to \Device\MSKSSRV and issues IOCTLs that reach the vulnerable allocation path. By supplying a kernel virtual address as the "user buffer," the driver locks the corresponding kernel pages and later writes streaming data into them, or reads from them back to user space. This gives the attacker a controlled read/write primitive over arbitrary kernel memory.

The path from primitive to SYSTEM follows the standard EPROCESS token swap. The attacker uses the kernel write to locate the current process's EPROCESS structure and overwrite its Token field with the token pointer from the SYSTEM process (PID 4). Once the token is replaced, the process inherits SYSTEM privileges.

What makes this bug particularly clean is the absence of any race condition or heap grooming requirement. The MDL access mode confusion provides a deterministic, reliable kernel read/write in a single IOCTL call.

Patch Analysis

The fix in KB5027231 changes the access mode parameter in the MmProbeAndLockPages call from KernelMode to UserMode. With UserMode specified, the function now validates that all pages in the MDL fall within the user-mode address range, raising an exception if a kernel address is supplied. AutoPiff detects this via the mdl_probe_access_mode_fix rule, which fires when binary diffing shows an access mode constant change in MDL probing calls.

Detection

YARA Rule

rule CVE_2023_29360_MSKSSRV {
    meta:
        description = "Detects vulnerable version of mskssrv.sys (pre-patch)"
        cve = "CVE-2023-29360"
        author = "KernelSight"
        severity = "high"
    strings:
        $mz = { 4D 5A }
        $driver_name = "mskssrv.sys" wide ascii nocase
        $vuln_build = "10.0.22621.1702" wide ascii
        $alloc_mdl = "FsAllocAndLockMdl" ascii
        $alloc_lock = "FsAllocateAndLock" ascii
    condition:
        $mz at 0 and $driver_name and $vuln_build and any of ($alloc_mdl, $alloc_lock)
}

ETW Indicators

Provider	Event / Signal	Relevance
`Microsoft-Windows-Streaming`	MDL allocation on `\Device\MSKSSRV`	Monitors Kernel Streaming MDL operations where the driver incorrectly probes user-supplied pages with KernelMode access
`Microsoft-Windows-Kernel-Audit`	Token modification (Event ID 4672)	Captures privilege escalation after the attacker leverages the MDL-based write primitive
`Microsoft-Windows-Kernel-Process`	Process token change	Detects the exploiting process replacing its token with SYSTEM via the kernel write primitive
`Microsoft-Windows-Security-Auditing`	Special privileges assigned (Event ID 4672)	Alerts when a low-privilege process obtains SYSTEM privileges through token manipulation

Behavioral Indicators

A user-mode process opens a handle to \Device\MSKSSRV and issues IOCTLs that cause the driver to call MmProbeAndLockPages with KernelMode access on a user-supplied MDL, bypassing page permission checks
The attacker supplies a user-mode virtual address in the MDL that maps to a kernel structure, allowing the driver to lock and write to kernel memory as if the caller had kernel-level access
Arbitrary kernel write primitive achieved through the MDL confusion: the driver writes data to an attacker-controlled kernel address because the probing used KernelMode instead of UserMode
Token swapping in the EPROCESS structure, where the exploiting process overwrites its Token field with the SYSTEM token pointer using the write primitive
Non-media processes (processes that are not audio/video applications) interacting with the MSKSSRV device, indicating abuse of the streaming subsystem for exploitation

Broader Significance

CVE-2023-29360 is a textbook example of how a single wrong constant can collapse an entire security boundary. The KernelMode vs UserMode distinction in MmProbeAndLockPages is the only thing preventing user-mode code from constructing MDLs over kernel memory. This same class of bug has appeared in multiple Windows drivers over the years, making it a reliable pattern for vulnerability researchers auditing MDL usage. The mskssrv.sys driver would be hit again just months later with CVE-2023-36802, a type confusion in the same driver, suggesting the streaming subsystem remained under-audited at the time of this fix.