CVE-2024-30089
Kernel Streaming Server -- ref-count logic error causes use-after-free EoP
Summary
| Field | Value |
|---|---|
| Driver | mskssrv.sys |
| Vulnerability Class | Use-After-Free / Lifetime |
| Vulnerable Build | 10.0.22621.2506 (KB5031455) |
| Fixed Build | 10.0.22621.3733 (KB5039212) |
| Exploited ITW | No |
Affected Functions
FSRendezvousServerFSStreamReg::Close
Root Cause
The Kernel Streaming Service Proxy (mskssrv.sys) manages streaming connections between user-mode applications and kernel-mode multimedia components. Each streaming session involves reference-counted objects that track active connections, pending I/O, and resource ownership. The FSRendezvousServer manages the overall connection lifecycle, while FSStreamReg::Close handles teardown when a stream is closed.
The vulnerability is a reference-count logic error in the stream teardown path. When a stream is being closed, FSStreamReg::Close decrements the reference count on internal objects and frees them. However, the reference-count bookkeeping does not properly account for all outstanding references. Under specific timing conditions, the object is freed while other code paths still hold references to it. When those code paths subsequently access the freed object, they operate on deallocated memory.
This is a classic use-after-free triggered by a reference-count imbalance. The freed object's memory can be reclaimed by the kernel pool allocator and assigned to a new allocation. If the attacker controls the content of that new allocation, they control the data that the stale reference dereferences.
AutoPiff categorizes this as lifetime_fix with detection rules:
null_after_free_addedguard_before_free_added
Exploitation
The attacker exploits the reference-count imbalance by rapidly opening and closing handles to the Kernel Streaming proxy server device. The goal is to race the FSStreamReg::Close teardown against concurrent operations that still reference the stream object.
When the timing is right, the object is freed while a pending operation still holds a stale pointer. The attacker then sprays the non-paged pool with controlled data (pipe attributes or named pipe objects sized to match the freed allocation). When the pool allocator reclaims the freed slot for one of these spray objects, the stale pointer now points to attacker-controlled content.
The pending operation dereferences fields in the "object" (now the attacker's spray data), following controlled values as pointers or using them as sizes. This is shaped into an arbitrary kernel write primitive, leading to the standard EPROCESS token swap for SYSTEM escalation.
IBM X-Force published a detailed writeup ("The Little Bug That Could") documenting the reference-count imbalance and exploitation strategy.
Patch Analysis
The fix in KB5039212 addresses the reference-count logic. The patched code adds a guard check before freeing the object, verifying that all outstanding references have been released. It also nulls the object pointer after freeing, so any subsequent access through a stale reference hits a null dereference (which is caught by structured exception handling) rather than operating on reclaimed memory.
AutoPiff detects this via null_after_free_added and guard_before_free_added.
Detection
YARA Rule
rule CVE_2024_30089_mskssrv_sys {
meta:
description = "Detects vulnerable version of mskssrv.sys (pre-patch)"
cve = "CVE-2024-30089"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "mskssrv.sys" wide ascii nocase
$version = "10.0.22621.2506" wide ascii
$rendezvous = "FSRendezvousServer" ascii
$stream_close = "FSStreamReg" ascii
condition:
$mz at 0 and $driver_name and $version and ($rendezvous or $stream_close)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-KSVC | Kernel Streaming server lifecycle events | Tracks creation, reference, and teardown of KS server rendezvous objects managed by mskssrv.sys |
| Microsoft-Windows-Kernel-Audit | Object reference count anomalies | Detects mismatched acquire/release of kernel streaming server objects that indicate UAF conditions |
| Microsoft-Windows-Security-Auditing | Event 4688 -- Process creation | Identifies processes spawning with unexpected SYSTEM privileges following exploitation |
| Microsoft-Windows-Kernel-Process | Process token modification | Detects runtime token swap on the exploiting process after UAF-based arbitrary write |
Behavioral Indicators
- Rapid open/close of handles to the Kernel Streaming proxy server device, triggering concurrent
FSRendezvousServerandFSStreamReg::Closepaths to win a reference-count race - NonPagedPool allocations freed and immediately reallocated with attacker-controlled data (pool spray via pipe attributes or named pipe objects) to reclaim the freed streaming object
- Freed mskssrv.sys streaming object accessed after deallocation, causing a use-after-free that redirects control flow or corrupts adjacent pool metadata
- Process acquires SYSTEM-level privileges without standard elevation (UAC, service creation, or scheduled tasks)
- Bugchecks referencing mskssrv.sys with pool corruption signatures (BAD_POOL_HEADER, KERNEL_SECURITY_CHECK_FAILURE) during failed exploitation attempts
Broader Significance
CVE-2024-30089 is the third vulnerability in mskssrv.sys (after CVE-2023-29360 and CVE-2023-36802), each in a different vulnerability class: MDL handling, type confusion, and now use-after-free. The Kernel Streaming subsystem's reliance on manual reference counting in C code, combined with complex asynchronous teardown paths, makes lifetime bugs predictable. The IBM X-Force writeup demonstrates that even a "little bug" in reference-count arithmetic can be reliably weaponized into full privilege escalation with modern pool spray techniques.