Skip to content

CVE-2024-30088

NT Kernel — TOCTOU race in AuthzBasepCopyoutInternalSecurityAttributes

Exploited in the Wild

This vulnerability was exploited in the wild before or shortly after patching.

Summary

Field Value
Driver ntoskrnl.exe
Vulnerability Class Race Condition / TOCTOU
Vulnerable Build 10.0.22621.3672 (KB5037853)
Fixed Build 10.0.22621.3733 (KB5039212)
Exploited ITW Yes

Affected Functions

  • AuthzBasepCopyoutInternalSecurityAttributes
  • NtAccessCheckByTypeAndAuditAlarm

Root Cause

The vulnerability resides in ntoskrnl.exe's authorization security subsystem, specifically within the AuthzBasepCopyoutInternalSecurityAttributes function. This function is responsible for copying security attribute data from kernel space into a user-mode output buffer during access-check operations invoked through syscalls such as NtAccessCheckByTypeAndAuditAlarm. The function follows a two-step pattern: it first validates the user-mode buffer address and size to ensure the target is a legitimate user-mode region with sufficient capacity (time-of-check), then proceeds to copy the kernel-resident security attribute data into that buffer (time-of-use).

Between the validation step and the copy step, a window exists during which another thread in the same process can remap the virtual address range of the user-mode buffer. By using a second thread to call NtUnmapViewOfSection followed by NtMapViewOfSection (or equivalent memory-mapping primitives) targeting the same virtual address range, an attacker can redirect the buffer pointer so that it resolves to a kernel-mode address. When the kernel subsequently performs the copy, it writes security attribute data to the attacker-chosen kernel address rather than the original user-mode buffer.

This is a classic TOCTOU (time-of-check-to-time-of-use) race condition. The validation of the destination buffer and the actual write to that buffer are not performed atomically, and no lock prevents the address mapping from changing between these two events. The race window is accessible through any code path that invokes AuthzBasepCopyoutInternalSecurityAttributes, with NtAccessCheckByTypeAndAuditAlarm being the primary attack vector.

AutoPiff categorizes this as race_condition with detection rules:

  • added_lock_around_toctou
  • added_spinlock_guard
  • added_mutex_guard

Exploitation

The TOCTOU race provides a controlled kernel write primitive. The attacker controls the target address by remapping the user-mode buffer to an arbitrary kernel virtual address, and partially controls the written data through the content of the security attributes being copied. This gives a "write-what-where" condition with some constraints on the data payload, but sufficient flexibility for practical exploitation.

The exploitation flow proceeds as follows: the attacker allocates a user-mode buffer at a known virtual address, then initiates a security attribute query syscall that will populate that buffer. Concurrently, a second thread races to remap the buffer's virtual address range so that it points to a kernel-mode target address (such as a field within the calling process's token structure). If the remap completes after the kernel validates the buffer but before it performs the copy, the kernel writes the security attribute data directly into the chosen kernel address. The attacker repeats this race in a tight loop until the timing aligns.

The write primitive is leveraged to corrupt kernel data structures for privilege escalation, typically targeting the process token to perform a token-swapping attack that grants SYSTEM-level privileges. While the exploit is probabilistic in nature, the race window is wide enough that a multi-threaded approach -- with one thread continuously issuing the syscall and another continuously remapping the buffer -- can win the race reliably within seconds. This vulnerability was exploited in the wild and demonstrated at Pwn2Own 2024.

Patch Analysis

The patch shipped in KB5039212 (build 10.0.22621.3733) addresses the vulnerability by adding proper synchronization around the check-and-copy sequence in AuthzBasepCopyoutInternalSecurityAttributes. Specifically, the fix introduces lock acquisition (via mutex or spinlock guards) that ensures the buffer address validation and the subsequent memory copy execute atomically with respect to address-space modifications. This eliminates the TOCTOU window by preventing any concurrent thread from remapping the target buffer while the kernel is between the check and the write.

AutoPiff detects this patch pattern through the added_lock_around_toctou, added_spinlock_guard, and added_mutex_guard differential rules, which flag functions where synchronization primitives were introduced around previously unguarded check-then-use sequences.

Detection

YARA Rule

rule CVE_2024_30088_ntoskrnl {
    meta:
        description = "Detects vulnerable version of ntoskrnl.exe (pre-patch)"
        cve = "CVE-2024-30088"
        author = "KernelSight"
        severity = "high"
    strings:
        $mz = { 4D 5A }
        $driver_name = "ntoskrnl.exe" wide ascii nocase
        $version = "10.0.22621.3672" wide ascii
        $authz_func = "AuthzBasepCopyoutInternalSecurityAttributes" ascii
        $access_check = "NtAccessCheckByTypeAndAuditAlarm" ascii
    condition:
        $mz at 0 and $driver_name and $version and ($authz_func or $access_check)
}

ETW Indicators

Provider Event / Signal Relevance
Microsoft-Windows-Security-Auditing Event 4672 — Special privileges assigned Detects when the exploiting process unexpectedly acquires SeDebugPrivilege or SeTcbPrivilege after token swap
Microsoft-Windows-Kernel-Audit Authorization subsystem events Monitors calls to AuthzBasepCopyoutInternalSecurityAttributes and related access-check routines for anomalous invocation patterns
Microsoft-Windows-Kernel-Process Process token modification Fires when a process token is replaced at runtime, indicating successful TOCTOU exploitation and token swap
Microsoft-Windows-Security-Auditing Event 4688 — Process creation Correlates newly spawned SYSTEM-privilege processes with the exploiting process lineage
Microsoft-Windows-Kernel-Memory Section object mapping events Detects rapid NtMapViewOfSection / NtUnmapViewOfSection cycling on the same virtual address range, the hallmark of the TOCTOU race

Behavioral Indicators

  • A multi-threaded user-mode process issues rapid, repeated calls to NtAccessCheckByTypeAndAuditAlarm from one thread while a second thread cycles NtUnmapViewOfSection and NtMapViewOfSection on the same virtual address range, attempting to win the TOCTOU race
  • High-frequency virtual address remapping (thousands of map/unmap cycles per second) targeting a specific user-mode buffer region that was passed as the output buffer to the authorization syscall
  • The security attribute copyout writes kernel data to an address that resolves to a kernel-mode page rather than the original user-mode buffer, indicating the race was won and the buffer was remapped
  • A process token is overwritten mid-execution: the process transitions from a standard user token to a SYSTEM token without any logon event, service call, or UAC prompt
  • The exploit creates multiple threads with tight affinity (SetThreadAffinityMask) to specific CPU cores to maximize the probability of winning the race window between check and use

References