Core Impact Quarterly Chronicle: Exploits and Updates | Q1 2025

Authors: Cristian Rubio, Arthur Lallemant (QA), and Daniel De Luca (QA)

CVSS:  8.8 HIGH

Reference:  CVE-2024-38144

Key Vulnerability Details

• An elevation of privilege vulnerability exists in the Kernel Streaming WOW Thunk Service Driver enables locally authenticated attacker with standard user privileges to execute code with SYSTEM privileges
• Impacted versions include multiple editions and versions of Windows 10, Windows 11, and Windows Server
• Classified as Integer Overflow or Wraparound (CWE-190)

Exploitation Impact and Mitigation

• Successful exploitation could allow an attacker to bypass security restrictions and gain higher-level access to the system
• This could potentially lead to full system control, with the ability to perform any action on the compromised system
• Microsoft has released a patch to address this vulnerability as part of their August 2024 security updates

Attacks in the Wild 

• No major attacks have been specifically reported for this vulnerability at this time.

Exploitation Mechanism

1. The exploit module sprays the memory with data queue entries.
2. It then triggers the vulnerability to overwrite the target’s data.
3. It leaks adjacent pool memory and bypass KASLR.
4. A data queue entry is forged to get an arbitrary memory read.
5. The address of the current process token and SYSTEM process token is leaked.
6. A new data queue entry is created and the IRP is leaked.
7. An IRP and the data queue entry is forged.
8. Read one byte to trigger the arbitrary write and get SYSTEM privileges.
    

Authors: Ricardo Narvaja and Nahuel Gonzalez (QA)

CVSS:  7.8 HIGH

Reference: CVE-2024-49138

Key Vulnerability Details

• An elevation of privilege vulnerability exists in the Microsoft Windows Common Log File System (CLFS) driver, allowing attackers to escalate privileges on affected systems
• This vulnerability is the result of improper handling of permissions within key Windows components
• Affected platforms include various versions of Microsoft Windows (including both workstation and server environments)
• Classified as Heap-based Buffer Overflow (CWE-122)

Exploitation Impact and Mitigation

• Successful exploitation enables low level attackers to elevate their access privileges from low-level user permissions to administrative rights
• This could potentially lead to data breaches, malware deployment, network disruption, and complete system takeover
• Microsoft released a patch for this vulnerability as part of their December 2024 security updates

Attacks in the Wild 

• Classified as a zero-day and has been actively exploited in the wild
• CISA has released an alert and added this vulnerability to the Known Exploited Vulnerabilities Catalog

Exploitation Mechanism

1. The exploit module allocates memory at address (stored in the variable pcclfscontainer).

2. It then calls CreateLogFile() and AddLogContainer() to create the .BLF and the container files under the selected path.

3. The malicious .BLF is fetched from the data replaced in the executable and overwrites the original .BLF with the crafted .BLF.

4. A fake CClfsContainer object is created, with a fake vtable that points to the address of nt!PoFxProcessorNotification.

5. Additional data is written in the allocated memory and the address of _KTHREAD.PreviousMode of the current thread.

6. CreateLogFile() is called again.

7. CreateLogFile() is invoked on the malicious BLF and the driver does the following at kernel level:

   1. Dereferences the malicious CClfsContainer object at address 0x0000000002100000.

   2. Calls nt!PoFxProcessorNotification, which redirects the execution flow to nt!DbgkpTriageDumpRestoreState.

   3. nt!DbgkpTriageDumpRestoreState is used to obtain an arbitrary write of eight bytes to overwrite the _KTHREAD.PreviousMode to zero of the current thread, granting arbitrary read/write primitives.

   4. Issues a series of calls to NtReadVirtualMemory()/NtWriteVirtualMemory() to replace the _EPROCESS.Token of the parent process with that of the system process (PID 4).

   5. Restores _KTHREAD.PreviousMode to one with a final NtWriteVirtualMemory()

Authors: Cristian Rubio and Nahuel Gonzalez (QA)

CVSS:  7.8 HIGH

Reference: CVE-2024-38196

Key Vulnerability Details

• An elevation of privilege vulnerability exists in the Microsoft Windows Common Log File System (CLFS) driver, allowing attackers with low privileges to potentially gain elevated privileges on a Windows system
• The attack vector is local, requiring the attacker to have access to the target system
• Affected platforms include various versions of Microsoft Windows, including Windows 10, Windows 11, and Windows Server
• Classified as Improper Input Validation (CWE-20)

Exploitation Impact and Mitigation

• By providing specially crafted input to the driver, an attacker could potentially cause it to execute code with elevated permissions, allowing them to view, change, or delete sensitive data, install programs, or create new accounts with full user rights
• Successful exploitation could lead to a complete compromise of the confidentiality, integrity, and availability of the affected system
• Microsoft released a patch for this vulnerability as part of their August 2024 security updates

Attacks in the Wild 

• No major attacks have been reported at this time

Exploitation Mechanism

1. The exploit module creates a crafted BLF file.
2. The vulnerability is triggered to get an arbitrary read/write primitive.
3. The current process token is replaced.
4. A Core Impact agent is deployed with SYSTEM privileges.

Authors: Fernando Páez Barceló and Daniel De Luca (QA)

CVSS:  9.1 CRITICAL 

Reference: CVE-2024-28987

Key Vulnerability Details

• A hardcoded credential vulnerability exists in SolarWinds Web Help Desk (WHD) software, allowing a remote, unauthenticated attacker to access internal functionality
• Affects SolarWinds WHD version 12.8.3 HF1 and all previous versions
• Classified as Use of Hard-Coded Credentials (CWE-798)

Exploitation Impact and Mitigation

• Successful exploitation grants unauthorized access to internal software functionality, allowing them to create, read, update, and delete data on specific WHD endpoints
• This could lead to data breaches, manipulation of records, or deletion of critical information
• SolarWinds has released multiple hotfixes to address this vulnerability
• Users are recommended to manually apply the hotfix to remove the hardcoded credentials

Attacks in the Wild

• This vulnerability is being actively exploited in the wild
• CISA has released an alert and added this vulnerability to the  Known Exploited Vulnerabilities Catalog

Exploitation Mechanism

1. This exploit module sends a Basic Authentication request to the /OrionTickets endpoint.
2. If the request returns ticket data, the target is confirmed to be vulnerable.
3. Tickets from the system are retrieved and can be saved locally to a file if a path is provided.
4. If specified in an optional parameter, the exploit module creates a new ticket in the system, which could be generated with user-defined subject and details, to inform about the vulnerability.
5. The exploit can request detailed information for each ticket.

Authors: Esteban Kazimirow and Daniel de Luca (QA)

CVSS:  7.8 HIGH

Reference: CVE-2024-9474, CVE-2024-0012

Key Vulnerability Details

• An elevation of privilege vulnerability exists in the Windows Error Reporting (WER) Service, allowing local attackers with user permissions to gain elevated privileges
• The vulnerability stems from the WER service's failure to correctly manage user privileges
• Affects various versions of Microsoft Windows 10, Windows 11, and Windows Server 2016, 2019, and 2022
• Classified as an Improper Privilege Management (CWE-269)

Exploitation Impact and Mitigation

• Successful exploitation is achieved by manipulating the Windows Error Reporting registry settings (werkernel.sys), allowing attackers to execute their own malicious program with the elevated privileges of the WER service
• This could lead to the installation of unauthorized software, theft of sensitive data, or disruption of critical system functions
• Microsoft released a patch for this vulnerability as part of their March 2024 security updates

Attacks in the Wild 

• This vulnerability has been actively exploited in the wild as a zero-day by the Black Basta ransomware group 

Exploitation Mechanism

1. The exploit module initializes Native APIs by loading necessary Windows APIs for low-level operations.
2. The Registry is then modified to hijack WerFault.exe by setting a malicious Debugger key.
3. Resources are locked by creating lock files and manipulating registry keys to ensure uninterrupted execution.
4. The Vulnerability is triggered by calling ReportFault, forcing the Windows Error Reporting service to execute the malicious payload.
5. Privileges are escalated by executing arbitrary code with SYSTEM-level privileges through the hijacked WerFault.exe.
6. Traces are removed, like the Debugger key and temporary files to avoid detection.

Authors: Cristian Rubio, Arthur Lallemant (QA), and Daniel De Luca (QA)

CVSS:  7.8 HIGH

Reference:  CVE-2024-30085

Key Vulnerability Details

• An elevation of privilege vulnerability exists in the Windows Cloud Files Mini Filter Driver, allowing an attacker with low privileges to potentially gain elevated privileges on a Windows system.
• The attack vector is local, requiring the attacker to have access to the target system.
• Affects various versions of Microsoft Windows.
• Classified as a Heap-based Buffer Overflow (CWE-122)

Exploitation Impact and Mitigation

• Successful exploitation is achieved by sending specially crafted requests to the driver to trigger the overflow, eventually giving attackers high-level privileges and allowing them to view, change, or delete sensitive data, install programs, or create new accounts with full user rights.
• This could lead to a complete compromise of the confidentiality, integrity, and availability of the affected system.
• Microsoft released a patch for this vulnerability as part of their June 2024 security updates

Attacks in the Wild 

• No major attacks have been reported at this time

Exploitation Mechanism

1. The exploit module registers a sync root and sets its reparse point data.
2. A memory spray is executed using WNF and ALPC.
3. The vulnerability is triggered to get an arbitrary write.
4. The token privileges of the current process are overwritten.
5. A new Core Impact agent is injected into an elevated process to run as SYSTEM.