CVE-2024-30089
Kernel Streaming Server — ref-count logic error causes use-after-free EoP
Summary
| Field | Value |
|---|---|
| Driver | mskssrv.sys |
| Vulnerability Class | Use-After-Free / Lifetime |
| Vulnerable Build | 10.0.22621.2506 (KB5031455) |
| Fixed Build | 10.0.22621.3733 (KB5039212) |
| Exploited ITW | No |
Affected Functions
FSRendezvousServerFSStreamReg::Close
Root Cause
AutoPiff categorizes this as lifetime_fix with detection rules:
null_after_free_addedguard_before_free_added
Exploitation
Patch Analysis
Detection
YARA Rule
rule CVE_2024_30089_mskssrv_sys {
meta:
description = "Detects vulnerable version of mskssrv.sys (pre-patch)"
cve = "CVE-2024-30089"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "mskssrv.sys" wide ascii nocase
$version = "10.0.22621.2506" wide ascii
$rendezvous = "FSRendezvousServer" ascii
$stream_close = "FSStreamReg" ascii
condition:
$mz at 0 and $driver_name and $version and ($rendezvous or $stream_close)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-KSVC | Kernel Streaming server lifecycle events | Tracks creation, reference, and teardown of KS server rendezvous objects managed by mskssrv.sys |
| Microsoft-Windows-Kernel-Audit | Object reference count anomalies | Detects mismatched acquire/release of kernel streaming server objects that indicate UAF conditions |
| Microsoft-Windows-Security-Auditing | Event 4688 — Process creation | Identifies processes spawning with unexpected SYSTEM privileges following exploitation |
| Microsoft-Windows-Kernel-Process | Process token modification | Detects runtime token swap on the exploiting process after UAF-based arbitrary write |
Behavioral Indicators
- A user-mode process rapidly opens and closes handles to the Kernel Streaming proxy server device, triggering concurrent
FSRendezvousServerandFSStreamReg::Closecode paths to win a reference-count race - Kernel pool allocations in the NonPagedPool are freed and immediately reallocated with attacker-controlled data (pool spray using pipe attributes or named pipe objects) to reclaim the freed streaming object
- A freed mskssrv.sys streaming object is accessed after deallocation, causing a use-after-free that redirects control flow or corrupts adjacent pool metadata
- The exploiting process acquires SYSTEM-level privileges without invoking standard elevation mechanisms (UAC, service creation, or scheduled tasks)
- Crash dumps or bugchecks referencing mskssrv.sys with pool corruption signatures (BAD_POOL_HEADER, KERNEL_SECURITY_CHECK_FAILURE) appear during failed exploitation attempts