CVE-2024-38238
Kernel Streaming WOW64 Thunk — MmMapLockedPages without MmProbeAndLockPages in frame handling
Summary
| Field | Value |
|---|---|
| Driver | ksthunk.sys |
| Vulnerability Class | MDL Handling |
| Vulnerable Build | 10.0.22621.4036 (KB5041585) |
| Fixed Build | 10.0.22621.4169 (KB5043076) |
| Exploited ITW | No |
Affected Functions
CKSAutomationThunkThunkStreamingIrp
Root Cause
AutoPiff categorizes this as mdl_handling with detection rules:
mdl_safe_mapping_replacementmdl_null_check_added
Exploitation
Patch Analysis
Detection
YARA Rule
rule CVE_2024_38238_KsThunk {
meta:
description = "Detects vulnerable version of ksthunk.sys (pre-patch)"
cve = "CVE-2024-38238"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "ksthunk.sys" wide ascii nocase
$vuln_build = "10.0.22621.4036" wide ascii
$func_thunk = "CKSAutomationThunk" ascii
$func_streaming = "ThunkStreamingIrp" ascii
condition:
$mz at 0 and $driver_name and $vuln_build and any of ($func_*)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-Kernel-Streaming | Streaming IRP processing events | Monitors thunking operations in the WOW64 kernel streaming path where unsafe MDL mapping occurs |
| Microsoft-Windows-Kernel-IoTrace | IRP dispatch and completion tracing | Detects IOCTL requests targeting ksthunk.sys device objects from WOW64 (32-bit) processes |
| Microsoft-Windows-Kernel-Audit | Privilege change audit events | Captures privilege escalation resulting from arbitrary kernel write via MDL corruption |
Behavioral Indicators
- A 32-bit (WOW64) process opening handles to kernel streaming device objects and issuing crafted streaming IOCTLs to trigger the thunking path in
ksthunk.sys MmMapLockedPagescalled on an MDL that was not preceded byMmProbeAndLockPages, allowing user-controlled physical page mappings into kernel virtual address space- Kernel pool corruption artifacts in the NonPagedPool originating from improperly mapped MDL pages during frame handling operations
- Unexpected BSOD with bugcheck
DRIVER_CORRUPTED_MMPOOLorSPECIAL_POOL_DETECTED_MEMORY_CORRUPTIONwhen exploitation fails, indicating attempted MDL abuse - Low-privilege process spawning a child process with elevated (SYSTEM) privileges shortly after issuing kernel streaming IOCTLs