CVE-2024-38238
Kernel Streaming WOW64 Thunk -- MmMapLockedPages without MmProbeAndLockPages in frame handling
Summary
| Field | Value |
|---|---|
| Driver | ksthunk.sys |
| Vulnerability Class | MDL Handling |
| Vulnerable Build | 10.0.22621.4036 (KB5041585) |
| Fixed Build | 10.0.22621.4169 (KB5043076) |
| Exploited ITW | No |
Affected Functions
CKSAutomationThunkThunkStreamingIrp
Root Cause
The Kernel Streaming WOW64 Thunk driver (ksthunk.sys) converts 32-bit streaming IRPs to 64-bit format. During the conversion of streaming frame data in ThunkStreamingIrp, the driver constructs an MDL (Memory Descriptor List) to map buffer pages into kernel virtual address space via MmMapLockedPages.
The problem is that the driver calls MmMapLockedPages on an MDL without first calling MmProbeAndLockPages. The MmProbeAndLockPages step is essential: it validates that the physical pages described by the MDL are accessible and locks them in memory, preventing them from being paged out or reassigned. Without this step, the MDL may describe pages that are not properly owned by the caller, or pages whose physical backing can change between the time the MDL is constructed and the time the mapping is used.
An attacker can supply page frame numbers (or influence the MDL construction) to map arbitrary physical pages into the kernel's virtual address space. Since the driver skips the probing step, there is no validation that the pages belong to the requesting process or fall within user-mode memory. This gives the attacker a window to read or write arbitrary physical memory through the mapped virtual address.
AutoPiff categorizes this as mdl_handling with detection rules:
mdl_safe_mapping_replacementmdl_null_check_added
Exploitation
The attacker runs a 32-bit (WoW64) process and sends crafted streaming IOCTLs that reach the ThunkStreamingIrp path. The MDL constructed during thunking describes pages that the attacker can influence. Because MmProbeAndLockPages is never called, the kernel maps these pages into virtual address space without verifying ownership.
The mapped pages may include kernel data structures, other processes' memory, or security-sensitive kernel objects. Reading from the mapping provides an information disclosure primitive; writing to it provides kernel memory corruption. With controlled read/write over kernel memory, the attacker locates and modifies the current process's EPROCESS token for SYSTEM escalation.
Patch Analysis
The fix in KB5043076 replaces the unsafe MmMapLockedPages call with a safe mapping pattern that includes proper MmProbeAndLockPages validation before mapping. The patch also adds null checks on the MDL pointer to handle allocation failures gracefully.
AutoPiff detects this via mdl_safe_mapping_replacement and mdl_null_check_added.
Detection
YARA Rule
rule CVE_2024_38238_KsThunk {
meta:
description = "Detects vulnerable version of ksthunk.sys (pre-patch)"
cve = "CVE-2024-38238"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "ksthunk.sys" wide ascii nocase
$vuln_build = "10.0.22621.4036" wide ascii
$func_thunk = "CKSAutomationThunk" ascii
$func_streaming = "ThunkStreamingIrp" ascii
condition:
$mz at 0 and $driver_name and $vuln_build and any of ($func_*)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-Kernel-Streaming | Streaming IRP processing events | Monitors thunking operations in the WOW64 kernel streaming path where unsafe MDL mapping occurs |
| Microsoft-Windows-Kernel-IoTrace | IRP dispatch and completion tracing | Detects IOCTL requests targeting ksthunk.sys device objects from WOW64 (32-bit) processes |
| Microsoft-Windows-Kernel-Audit | Privilege change audit events | Captures privilege escalation resulting from arbitrary kernel write via MDL corruption |
Behavioral Indicators
- A 32-bit (WOW64) process opening handles to kernel streaming device objects and issuing crafted streaming IOCTLs to trigger the thunking path in
ksthunk.sys MmMapLockedPagescalled on an MDL that was not preceded byMmProbeAndLockPages, allowing user-controlled physical page mappings into kernel virtual address space- Kernel pool corruption artifacts in the NonPagedPool originating from improperly mapped MDL pages during frame handling operations
- Unexpected BSOD with bugcheck
DRIVER_CORRUPTED_MMPOOLorSPECIAL_POOL_DETECTED_MEMORY_CORRUPTIONwhen exploitation fails, indicating attempted MDL abuse - Low-privilege process spawning a child process with elevated (SYSTEM) privileges shortly after issuing kernel streaming IOCTLs
Broader Significance
CVE-2024-38238 is the fourth vulnerability in ksthunk.sys within a year (after CVE-2024-30090, CVE-2024-38054, and CVE-2024-38144), each exploiting a different class of bug: mode confusion, integer overflow, and now unsafe MDL mapping. The MDL handling pattern here (calling MmMapLockedPages without MmProbeAndLockPages) is a well-known anti-pattern in Windows driver development, explicitly documented as dangerous in Microsoft's own WDK documentation. Its presence in a driver that was being actively patched for other bugs suggests that the fixes were focused on the reported vulnerabilities without a broader audit of the driver's security posture.