CVE-2024-30090
Kernel Streaming WOW Thunk -- RequestorMode confusion via 32-to-64-bit IRP conversion
Summary
| Field | Value |
|---|---|
| Driver | ksthunk.sys |
| Vulnerability Class | Race Condition / Mode Confusion |
| Exploited ITW | No |
| CVSS | 7.0 |
Root Cause
When a WoW64 (32-bit) process sends an IOCTL_KS_ENABLE_EVENT request to a kernel streaming device, ksthunk.sys intercepts the IRP and converts it from 32-bit to 64-bit format before forwarding it to the actual kernel streaming driver. During this conversion, ksthunk allocates a new IRP. The new IRP's RequestorMode is set to KernelMode (0) instead of preserving the original UserMode (1).
Downstream kernel streaming drivers check RequestorMode to decide whether to trust buffer pointers. With RequestorMode == KernelMode, the driver skips user-mode buffer validation (no ProbeForRead/ProbeForWrite), treating the caller as kernel code. A WoW64 process can then pass kernel addresses in IOCTL buffers and have the driver read from or write to them.
Discovered by Angelboy at DEVCORE, presented at HEXACON 2024.
Exploitation
The mode confusion gives an arbitrary IOCTL capability with kernel trust. The attacker sends crafted kernel streaming IOCTLs from a WoW64 process, passing kernel-mode addresses as buffer pointers. Since the downstream driver sees RequestorMode == KernelMode, it processes these addresses without validation, providing kernel read/write primitives.
From there, standard token manipulation for EoP to SYSTEM.
Patch Analysis
The fix preserves the original IRP's RequestorMode when constructing the converted 64-bit IRP in ksthunk.sys, ensuring WoW64 requests remain marked as UserMode.