CVE-2024-21345
NT Kernel -- elevation of privilege via improper kernel object handling
Summary
| Field | Value |
|---|---|
| Driver | ntoskrnl.exe |
| Vulnerability Class | Elevation of Privilege |
| Exploited ITW | No |
| CVSS | 7.8 |
Root Cause
This vulnerability lives in the NT kernel's object management subsystem. When user-mode processes interact with kernel objects through system calls, the kernel performs a series of validation steps: checking handle permissions, verifying object types, and ensuring that operations requested on the object are consistent with its current state.
In the vulnerable code path, the kernel performs insufficient validation during an object manipulation operation. A user-mode process can supply parameters that cause the kernel to mishandle the object's internal state, leading to a condition where kernel memory backing the object can be corrupted in a controlled way. The specifics involve an object state transition that the kernel does not properly gate, allowing a user-mode caller to drive the object into an inconsistent state that yields a write primitive.
The exploits-forsale research team identified the specific object handling path and published a PoC demonstrating the exploitation methodology.
Exploitation
The object handling flaw provides a kernel write primitive. The attacker creates and manipulates kernel objects through documented system calls, driving the vulnerable object into the state that enables controlled memory corruption. Because the write target is influenced by object field values that the attacker controls through the object's API, the write can be directed at specific kernel addresses.
With a write primitive established, the attacker locates the current process's EPROCESS structure (using NtQuerySystemInformation or similar information leak techniques) and overwrites its Token field with the SYSTEM process token pointer. The process then inherits SYSTEM privileges.
Patch Analysis
The fix adds validation checks in the kernel object handling path, ensuring that the object state transition is properly gated. The new checks verify that the object is in a valid state for the requested operation before proceeding, and reject requests that would create the inconsistent state exploited by the vulnerability.
Broader Significance
NT kernel object management bugs are particularly impactful because the object manager is the foundation of the Windows security model. Handles, tokens, processes, threads, and synchronization primitives are all kernel objects managed by the same subsystem. A flaw in how the object manager validates state transitions can affect any object type, making these bugs versatile building blocks for privilege escalation chains.