CVE-2023-29360
Kernel Streaming Server — MmProbeAndLockPages called with KernelMode on user MDL
Summary
| Field | Value |
|---|---|
| Driver | mskssrv.sys |
| Vulnerability Class | MDL Handling |
| Vulnerable Build | 10.0.22621.1702 (KB5026372) |
| Fixed Build | 10.0.22621.1848 (KB5027231) |
| Exploited ITW | No |
Affected Functions
FsAllocAndLockMdlFsAllocateAndLock
Root Cause
AutoPiff categorizes this as mdl_handling with detection rules:
mdl_probe_access_mode_fix
Exploitation
Patch Analysis
Detection
YARA Rule
rule CVE_2023_29360_MSKSSRV {
meta:
description = "Detects vulnerable version of mskssrv.sys (pre-patch)"
cve = "CVE-2023-29360"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "mskssrv.sys" wide ascii nocase
$vuln_build = "10.0.22621.1702" wide ascii
$alloc_mdl = "FsAllocAndLockMdl" ascii
$alloc_lock = "FsAllocateAndLock" ascii
condition:
$mz at 0 and $driver_name and $vuln_build and any of ($alloc_mdl, $alloc_lock)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
Microsoft-Windows-Streaming |
MDL allocation on \Device\MSKSSRV |
Monitors Kernel Streaming MDL operations where the driver incorrectly probes user-supplied pages with KernelMode access |
Microsoft-Windows-Kernel-Audit |
Token modification (Event ID 4672) | Captures privilege escalation after the attacker leverages the MDL-based write primitive |
Microsoft-Windows-Kernel-Process |
Process token change | Detects the exploiting process replacing its token with SYSTEM via the kernel write primitive |
Microsoft-Windows-Security-Auditing |
Special privileges assigned (Event ID 4672) | Alerts when a low-privilege process obtains SYSTEM privileges through token manipulation |
Behavioral Indicators
- A user-mode process opens a handle to
\Device\MSKSSRVand issues IOCTLs that cause the driver to callMmProbeAndLockPageswithKernelModeaccess on a user-supplied MDL, bypassing page permission checks - The attacker supplies a user-mode virtual address in the MDL that maps to a kernel structure, allowing the driver to lock and write to kernel memory as if the caller had kernel-level access
- Arbitrary kernel write primitive achieved through the MDL confusion: the driver writes data to an attacker-controlled kernel address because the probing used
KernelModeinstead ofUserMode - Token swapping in the
EPROCESSstructure, where the exploiting process overwrites itsTokenfield with the SYSTEM token pointer using the write primitive - Non-media processes (processes that are not audio/video applications) interacting with the MSKSSRV device, indicating abuse of the streaming subsystem for exploitation