原文始发于:PoC Exploit Released for 0-day Windows Kernel Elevation of Privilege Vulnerability (CVE-2024-21338)
PoC Exploit Released for 0-day Windows Kernel Elevation of Privilege Vulnerability (CVE-2024-21338)
Security researchers published the technical details and proof-of-concept (PoC) exploit code for a dangerous zero-day CVE-2024-21338 vulnerability that was recently exploited by the state-backed North Korean hacking group, Lazarus. This flaw resides in the Windows kernel itself, allowing attackers to gain deep system-level control and disable security tools.
安全研究人员发布了一个危险的零日CVE-2024-21338漏洞的技术细节和概念验证(PoC)漏洞利用代码,该漏洞最近被国家支持的朝鲜黑客组织Lazarus利用。此缺陷存在于 Windows 内核本身,允许攻击者获得深入的系统级控制并禁用安全工具。
The Lazarus Group exploited this vulnerability to create a read/write kernel primitive via an updated version of their FudModule rootkit, a malicious software previously noted for using a Dell driver in Bring Your Own Vulnerable Driver (BYOVD) attacks. This new exploitation method allowed them to bypass more detectable BYOVD techniques, achieving kernel-level access. This access was used to disable security tools, including prominent ones like Microsoft Defender and CrowdStrike Falcon, thus facilitating further malicious activities without detection.
Lazarus Group 利用此漏洞通过其 FudModule rootkit 的更新版本创建读/写内核原语,FudModule rootkit 是一种恶意软件,以前因在自带易受攻击的驱动程序 (BYOVD) 攻击中使用戴尔驱动程序而著称。这种新的利用方法使他们能够绕过更多可检测的 BYOVD 技术,实现内核级访问。此访问权限用于禁用安全工具,包括 Microsoft Defender 和 CrowdStrike Falcon 等著名工具,从而促进了进一步的恶意活动而不被发现。
Avast’s analysis revealed significant enhancements in the stealth and functionality of the new version of FudModule. The rootkit now includes capabilities to suspend processes protected by Protected Process Light (PPL) by manipulating handle table entries. It also features selective disruption strategies through DKOM and has improved methods to tamper with Driver Signature Enforcement and Secure Boot mechanisms.
Avast 的分析揭示了新版 FudModule 在隐身性和功能方面的显着增强。rootkit 现在包括通过操作句柄表条目来暂停受受保护的进程轻量级 (PPL) 保护的进程的功能。它还通过 DKOM 提供选择性中断策略,并改进了篡改驱动程序签名强制和安全启动机制的方法。
Following Avast’s initial analysis, researcher Nero22k released a PoC exploit code for the Windows Kernel vulnerability (CVE-2024-21338) last month. Rafael Felix of Hakai Security has since published technical details and a proof-of-concept for this flaw.
根据 Avast 的初步分析,研究人员 Nero22k 上个月发布了 Windows 内核漏洞 (CVE-2024-21338) 的 PoC 漏洞利用代码。此后,Hakai Security 的 Rafael Felix 发布了该漏洞的技术细节和概念验证。
The exploit involves manipulating the Input and Output Control (IOCTL) dispatcher in the appid.sys driver to call an arbitrary pointer. This action deceives the kernel into executing unsafe code, effectively bypassing built-in security checks. Within this vulnerability’s scope, the FudModule rootkit conducts direct kernel object manipulation (DKOM) to disable security products, hide its activities, and ensure its persistence on the infected systems.
该漏洞涉及操纵 appid.sys 驱动程序中的输入和输出控制 (IOCTL) 调度程序以调用任意指针。此操作会欺骗内核执行不安全的代码,从而有效地绕过内置安全检查。在此漏洞的范围内,FudModule rootkit 执行直接内核对象操作 (DKOM) 以禁用安全产品、隐藏其活动并确保其在受感染系统上的持久性。
For organizations and individual users, the immediate and most effective defense against this exploit is to apply the updates released by Microsoft in the February 2024 Patch Tuesday. Ensuring that systems are up-to-date with these patches is crucial, as it closes the vulnerability window and prevents potential exploits of the same nature.
对于组织和个人用户来说,针对此漏洞的直接和最有效的防御措施是应用 Microsoft 在 2024 年 2 月补丁星期二中发布的更新。确保系统使用这些补丁保持最新状态至关重要,因为它可以关闭漏洞窗口并防止相同性质的潜在漏洞利用。
版权声明:admin 发表于 2024年4月17日 下午6:35。
转载请注明:PoC Exploit Released for 0-day Windows Kernel Elevation of Privilege Vulnerability (CVE-2024-21338) | CTF导航
转载请注明:PoC Exploit Released for 0-day Windows Kernel Elevation of Privilege Vulnerability (CVE-2024-21338) | CTF导航
相关文章
