PoC Exploit Released for 0-day Windows Kernel Elevation of Privilege Vulnerability (CVE-2024-21338)

Security researchers published the technical details and proof-of-concept (PoC) exploit code for a dangerous zero-day CVE-2024-21338 vulnerability that was recently exploited by the state-backed North Korean hacking group, Lazarus. This flaw resides in the Windows kernel itself, allowing attackers to gain deep system-level control and disable security tools.
安全研究人员发布了一个危险的零日CVE-2024-21338漏洞的技术细节和概念验证(PoC)漏洞利用代码,该漏洞最近被国家支持的朝鲜黑客组织Lazarus利用。此缺陷存在于 Windows 内核本身,允许攻击者获得深入的系统级控制并禁用安全工具。

The Lazarus Group exploited this vulnerability to create a read/write kernel primitive via an updated version of their FudModule rootkit, a malicious software previously noted for using a Dell driver in Bring Your Own Vulnerable Driver (BYOVD) attacks. This new exploitation method allowed them to bypass more detectable BYOVD techniques, achieving kernel-level access. This access was used to disable security tools, including prominent ones like Microsoft Defender and CrowdStrike Falcon, thus facilitating further malicious activities without detection.
Lazarus Group 利用此漏洞通过其 FudModule rootkit 的更新版本创建读/写内核原语,FudModule rootkit 是一种恶意软件,以前因在自带易受攻击的驱动程序 (BYOVD) 攻击中使用戴尔驱动程序而著称。这种新的利用方法使他们能够绕过更多可检测的 BYOVD 技术,实现内核级访问。此访问权限用于禁用安全工具,包括 Microsoft Defender 和 CrowdStrike Falcon 等著名工具,从而促进了进一步的恶意活动而不被发现。

Avast’s analysis revealed significant enhancements in the stealth and functionality of the new version of FudModule. The rootkit now includes capabilities to suspend processes protected by Protected Process Light (PPL) by manipulating handle table entries. It also features selective disruption strategies through DKOM and has improved methods to tamper with Driver Signature Enforcement and Secure Boot mechanisms.
Avast 的分析揭示了新版 FudModule 在隐身性和功能方面的显着增强。rootkit 现在包括通过操作句柄表条目来暂停受受保护的进程轻量级 (PPL) 保护的进程的功能。它还通过 DKOM 提供选择性中断策略,并改进了篡改驱动程序签名强制和安全启动机制的方法。

Following Avast’s initial analysis, researcher Nero22k released a PoC exploit code for the Windows Kernel vulnerability (CVE-2024-21338) last month. Rafael Felix of Hakai Security has since published technical details and a proof-of-concept for this flaw.
根据 Avast 的初步分析,研究人员 Nero22k 上个月发布了 Windows 内核漏洞 (CVE-2024-21338) 的 PoC 漏洞利用代码。此后,Hakai Security 的 Rafael Felix 发布了该漏洞的技术细节和概念验证。

PoC Exploit Released for 0-day Windows Kernel Elevation of Privilege Vulnerability (CVE-2024-21338)

原文始发于DO SONPoC Exploit Released for 0-day Windows Kernel Elevation of Privilege Vulnerability (CVE-2024-21338)