A critical use-after-free vulnerability, tracked as CVE-2024-38193 with a CVSS score of 7.8, has been discovered in the afd.sys Windows driver that allows attackers to escalate privileges and execute arbitrary code. This vulnerability has been fixed during the August 2024 patch on Tuesday.
Security researchers from Gen Digita discovered and reported the vulnerability to Microsoft, stated that this flaw allows attackers to bypass normal security restrictions and access sensitive system areas that are typically inaccessible to most users and administrator This attack is both complex and cunning, potentially worth hundreds of thousands of dollars on the black market.
CVE-2024-38193 resides in the Registered I/O (RIO) extension for Windows sockets, a feature designed to optimize socket programming by reducing system calls. The vulnerability stems from a race condition between the AfdRioGetAndCacheBuffer() and AfdRioDereferenceBuffer() functions within the afd.sys driver.
The exploitation of CVE-2024-38193 involves a multi-stage process, as stated below
1. The attacker sprays the non-paged pool with fake RIOBuffer structures and creates holes, paving the way for the vulnerability to be triggered.
2. By creating two concurrent threads, the attacker deregisters buffers while they are still in use, leading to a use-after-free scenario.
3. The attacker leverages the freed RIOBuffer structures to gain control over the contents of the cache and escalate privileges.
The exploit uses this arbitrary write capability to overwrite the _SEP_TOKEN_PRIVILEGES structure, granting NT AUTHORITY\SYSTEM privileges
Security researcher Nephster has published a proof-of-concept (PoC) code for the CVE-2024-38193 vulnerability on GitHub, further escalating its potential threat. The PoC demonstrates how attackers can reliably achieve privilege escalation on unpatched systems.
