CVE-2024-26229
Client-Side Caching — missing access check allows EoP
Summary
| Field | Value |
|---|---|
| Driver | csc.sys |
| Vulnerability Class | Authorization / Access Check |
| Vulnerable Build | 10.0.22621.1 (RTM) |
| Fixed Build | 10.0.22621.3447 (KB5036893) |
| Exploited ITW | No |
Affected Functions
CscDevFcbXXXControlFileR0Ioctl
Root Cause
AutoPiff categorizes this as authorization with detection rules:
added_access_checkadded_previous_mode_gateadded_privilege_check
Exploitation
Patch Analysis
Detection
YARA Rule
rule CVE_2024_26229_csc_sys {
meta:
description = "Detects vulnerable version of csc.sys (pre-patch)"
cve = "CVE-2024-26229"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "csc.sys" wide ascii nocase
$version_rtm = "10.0.22621.1" wide ascii
$fcb_control = "CscDevFcbXXXControlFile" ascii
$r0_ioctl = "R0Ioctl" ascii
condition:
$mz at 0 and $driver_name and ($version_rtm or $fcb_control or $r0_ioctl)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-Security-Auditing | Event 4688 — Process creation | Detects processes spawned with elevated privileges after exploitation of the missing access check in csc.sys |
| Microsoft-Windows-Security-Auditing | Event 4672 — Special privileges assigned | Fires when the exploiting process acquires SYSTEM-level privileges through the missing authorization gate |
| Microsoft-Windows-Kernel-Audit | IOCTL dispatch authorization events | Monitors DeviceIoControl calls to the CSC device that bypass the expected privilege verification |
| Microsoft-Windows-Kernel-IoTrace | I/O request tracing on CSC device | Captures IOCTL requests to \Device\CSC from unprivileged callers that should have been rejected by an access check |
| Microsoft-Windows-Kernel-Process | Process token modification | Detects token manipulation following successful exploitation of the authorization bypass |
Behavioral Indicators
- An unprivileged user-mode process opens a handle to the Client-Side Caching device (
\Device\CSC) and issues IOCTLs throughCscDevFcbXXXControlFile/R0Ioctlwithout holding the required privileges, exploiting the missing access check - The IOCTL handler in csc.sys processes the request at kernel privilege level without validating the caller's token or PreviousMode, allowing a user-mode caller to perform operations intended only for kernel-mode or privileged callers
- The exploiting process escalates from a standard user or medium-integrity context to SYSTEM privileges without invoking UAC, creating a service, or using a privileged parent process
- Unusual activity on the CSC device object from processes that are not the Offline Files service (CscService) or SMB redirector, indicating unauthorized access to the driver's control interface
- Post-exploitation, the attacker process may access protected system resources, modify security policy, or spawn child processes at SYSTEM integrity, all traceable to the initial unauthorized IOCTL