CVE-2024-38054
Kernel Streaming WOW64 Thunk -- integer overflow in KSSTREAM_HEADER thunking allows EoP
Summary
| Field | Value |
|---|---|
| Driver | ksthunk.sys |
| Vulnerability Class | IOCTL Hardening |
| Vulnerable Build | 10.0.22621.3733 (KB5039212) |
| Fixed Build | 10.0.22621.3880 (KB5040442) |
| Exploited ITW | No |
Affected Functions
CKSAutomationThunk::ThunkEnableEventIrpCKSAutomationThunk::Thunk
Root Cause
The Kernel Streaming WOW64 Thunk driver (ksthunk.sys) translates 32-bit IOCTL requests into 64-bit format when a WoW64 process communicates with kernel streaming devices. During this translation, the driver must convert KSSTREAM_HEADER structures from their 32-bit layout to the wider 64-bit layout. This involves recalculating buffer sizes based on the number of stream headers in the request.
In CKSAutomationThunk::ThunkEnableEventIrp and CKSAutomationThunk::Thunk, the driver computes the output buffer size by multiplying a user-controlled count (the number of stream headers) by the per-header structure size. When the count is large enough, this multiplication overflows the integer, wrapping around to a small value. The driver then allocates a kernel pool buffer using the wrapped (small) size, but copies data into it using the original (large, pre-overflow) count. The result is a heap buffer overflow in the kernel pool.
The bug is notable for its timing: it appeared in the same build (KB5039212) that patched CVE-2024-35250. The kernel streaming subsystem was being actively patched, but new bugs were introduced in adjacent code paths.
AutoPiff categorizes this as ioctl_hardening with detection rules:
ioctl_input_size_validation_added
Exploitation
The integer overflow produces a heap overflow in the kernel's non-paged pool. The undersized allocation receives data that spills into adjacent pool objects. The exploitation follows standard pool feng shui: the attacker sprays controlled objects of matching size into the pool, triggers the overflow, and corrupts an adjacent object's fields.
The specific spray target depends on the exploit author's preference. Pipe attributes, event objects, and named pipe structures are common choices. Corrupting the right fields in the adjacent object provides a relative read/write primitive that is escalated to arbitrary kernel read/write. From there, the attacker performs a token swap on the current process for SYSTEM escalation.
The attack must come from a 32-bit (WoW64) process, since only WoW64 callers trigger the thunking path in ksthunk.sys.
Patch Analysis
The fix in KB5040442 adds overflow checking on the buffer size multiplication. Before allocating the pool buffer, the patched code verifies that the multiplication of count by structure size does not exceed MAXULONG (or the equivalent safe multiplication API), rejecting requests that would cause a wrap.
AutoPiff detects this via ioctl_input_size_validation_added.
Detection
YARA Rule
rule CVE_2024_38054_KsThunk {
meta:
description = "Detects vulnerable version of ksthunk.sys (pre-patch)"
cve = "CVE-2024-38054"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "ksthunk.sys" wide ascii nocase
$vuln_build = "10.0.22621.3733" wide ascii
$func_enable = "ThunkEnableEventIrp" ascii
$func_thunk = "CKSAutomationThunk" ascii
condition:
$mz at 0 and $driver_name and $vuln_build and any of ($func_*)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-Kernel-Streaming | KS property and event IRP dispatch events | Monitors IOCTL requests processed by ksthunk.sys where the integer overflow occurs in KSSTREAM_HEADER size calculations during WOW64 thunking |
| Microsoft-Windows-Kernel-IoTrace | IOCTL dispatch and buffer validation events | Detects oversized or malformed IOCTL input buffers targeting the kernel streaming thunk layer from 32-bit processes |
| Microsoft-Windows-Kernel-Audit | Privilege escalation audit events | Captures elevation of privilege resulting from kernel pool corruption via the integer overflow in stream header thunking |
Behavioral Indicators
- A 32-bit (WOW64) process sending
IOCTL_KS_ENABLE_EVENTrequests to kernel streaming device objects with craftedKSSTREAM_HEADERstructures containing size fields designed to trigger integer overflow during the 32-to-64-bit thunking conversion - Kernel pool overflow in NonPagedPool caused by undersized allocation when the overflowed size value wraps to a small number while the actual data copy uses the original large size
- Anomalous sequence of kernel streaming device handle creation from a process that does not normally interact with multimedia or streaming subsystems
- Bugcheck
KERNEL_MODE_HEAP_CORRUPTIONorPOOL_CORRUPTION_IN_FILE_AREAon failed exploitation attempts, withksthunk.sysappearing in the stack trace - Low-privilege process achieving SYSTEM token after issuing a series of kernel streaming IOCTLs through the WOW64 thunk layer
Broader Significance
CVE-2024-38054 is part of the remarkable 2024 kernel streaming vulnerability cluster. What makes it particularly interesting is that the vulnerable build is the same one that patched CVE-2024-35250, demonstrating how fixes in one area of a complex subsystem can coexist with (or even introduce) vulnerabilities in adjacent code. The ksthunk.sys WoW64 translation layer is a compact but rich attack surface: it performs arithmetic on user-controlled sizes, allocates kernel buffers, and copies data, providing all the ingredients for integer overflow and heap overflow bugs.