CVE-2024-38144
Kernel Streaming WOW Thunk -- integer overflow in buffer size calculation
Summary
| Field | Value |
|---|---|
| Driver | ksthunk.sys |
| Vulnerability Class | Integer Overflow |
| Exploited ITW | No |
| CVSS | 8.8 |
Root Cause
The Kernel Streaming WOW Thunk Service Driver (ksthunk.sys) is the translation layer that converts 32-bit IOCTL requests into 64-bit format when WoW64 processes interact with kernel streaming devices. This conversion requires recalculating buffer sizes to accommodate the wider 64-bit structures.
The vulnerability is an integer overflow in the output buffer size calculation. When the driver converts a request, it multiplies a user-controlled count by the size of the target 64-bit structure to compute the total output buffer length. If the count is large enough, this multiplication wraps around the 32-bit integer boundary, producing a small value. The driver allocates a kernel pool buffer using this small (wrapped) value, then populates it with data sized according to the original (un-wrapped) count. The data spills past the end of the undersized allocation, producing a heap buffer overflow in the kernel pool.
This is another finding from Angelboy's (DEVCORE) systematic audit of the kernel streaming attack surface, part of the same research effort that produced CVE-2024-30090 and CVE-2024-35250. The CVSS score of 8.8 reflects the potential for remote exploitation in certain kernel streaming configurations.
Exploitation
The integer overflow leads to a controlled heap buffer overflow in the kernel pool. The exploitation follows the standard pool feng shui approach: spray the pool with controlled objects of matching size to create a predictable layout, trigger the overflow to corrupt an adjacent object's header or function pointer, and convert that corruption into a read/write primitive.
The specific spray targets and corruption strategies are the same as for other ksthunk.sys overflow bugs (CVE-2024-38054, CVE-2024-38238): pipe attributes, event objects, or other small pool allocations that provide useful primitives when their fields are corrupted. From arbitrary kernel read/write, the attacker performs a token swap for SYSTEM escalation.
The attack requires a 32-bit (WoW64) process since only WoW64 callers trigger the thunking path.
Patch Analysis
The fix adds overflow checking on the buffer size multiplication. The patched code uses a safe multiplication that checks for wraparound before allocating the pool buffer, rejecting requests where the computed size would overflow.
Broader Significance
CVE-2024-38144 is the third integer overflow in ksthunk.sys found by DEVCORE's research (alongside CVE-2024-38054 and CVE-2024-30090). The WoW64 thunking layer is a small driver, but it performs multiple size calculations on user-controlled inputs for every translated IOCTL, making it a dense target for arithmetic overflow bugs. The CVSS 8.8 score is notable for a local privilege escalation bug, reflecting that certain kernel streaming device configurations can be reached remotely, though the typical exploitation path is local. The cluster of bugs in this single driver demonstrates how a focused attack surface audit can yield multiple findings in a compact codebase.