CVE-2024-38054
Kernel Streaming WOW64 Thunk — integer overflow in KSSTREAM_HEADER thunking allows EoP
Summary
| Field | Value |
|---|---|
| Driver | ksthunk.sys |
| Vulnerability Class | IOCTL Hardening |
| Vulnerable Build | 10.0.22621.3733 (KB5039212) |
| Fixed Build | 10.0.22621.3880 (KB5040442) |
| Exploited ITW | No |
Affected Functions
CKSAutomationThunk::ThunkEnableEventIrpCKSAutomationThunk::Thunk
Root Cause
AutoPiff categorizes this as ioctl_hardening with detection rules:
ioctl_input_size_validation_added
Exploitation
Patch Analysis
Detection
YARA Rule
rule CVE_2024_38054_KsThunk {
meta:
description = "Detects vulnerable version of ksthunk.sys (pre-patch)"
cve = "CVE-2024-38054"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "ksthunk.sys" wide ascii nocase
$vuln_build = "10.0.22621.3733" wide ascii
$func_enable = "ThunkEnableEventIrp" ascii
$func_thunk = "CKSAutomationThunk" ascii
condition:
$mz at 0 and $driver_name and $vuln_build and any of ($func_*)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-Kernel-Streaming | KS property and event IRP dispatch events | Monitors IOCTL requests processed by ksthunk.sys where the integer overflow occurs in KSSTREAM_HEADER size calculations during WOW64 thunking |
| Microsoft-Windows-Kernel-IoTrace | IOCTL dispatch and buffer validation events | Detects oversized or malformed IOCTL input buffers targeting the kernel streaming thunk layer from 32-bit processes |
| Microsoft-Windows-Kernel-Audit | Privilege escalation audit events | Captures elevation of privilege resulting from kernel pool corruption via the integer overflow in stream header thunking |
Behavioral Indicators
- A 32-bit (WOW64) process sending
IOCTL_KS_ENABLE_EVENTrequests to kernel streaming device objects with craftedKSSTREAM_HEADERstructures containing size fields designed to trigger integer overflow during the 32-to-64-bit thunking conversion - Kernel pool overflow in NonPagedPool caused by undersized allocation when the overflowed size value wraps to a small number while the actual data copy uses the original large size
- Anomalous sequence of kernel streaming device handle creation from a process that does not normally interact with multimedia or streaming subsystems
- Bugcheck
KERNEL_MODE_HEAP_CORRUPTIONorPOOL_CORRUPTION_IN_FILE_AREAon failed exploitation attempts, withksthunk.sysappearing in the stack trace - Low-privilege process achieving SYSTEM token after issuing a series of kernel streaming IOCTLs through the WOW64 thunk layer