PoC Exploit Released for Windows Hyper-V Zero-Day Vulnerability CVE-2024-38080

CVE-2024-38080 PoC exploit Github

Security researcher Pwndorei published a detailed analysis alongside a proof-of-concept (PoC) exploit code for a patched zero-day vulnerability in Windows Hyper-V, tracked as CVE-2024-38080. This critical flaw, already being actively exploited in the wild, allows attackers to elevate privileges to SYSTEM level, making it a severe risk for organizations relying on Microsoft’s virtualization technology.

CVE-2024-38080 (CVSS 7.8) is an elevation of privilege (EoP) vulnerability that impacts Windows Hyper-V, Microsoft’s hypervisor that enables virtualized computing environments. The flaw, discovered in the VidExoBrokerIoctlReceive function of Hyper-V, stems from an integer overflow that can be triggered by malicious actors. By exploiting this flaw, attackers can manipulate the system’s memory and execute code with SYSTEM-level privileges, effectively gaining full control of the compromised system.

While Microsoft has acknowledged the vulnerability and confirmed its active exploitation, it has remained tight-lipped on specific details, such as who initially discovered the flaw or the extent of the damage it has caused. Nevertheless, CISA has added CVE-2024-38080 to its Known Exploited Vulnerability Catalog, signaling the severity and urgency of addressing the issue.

Pwndorei’s analysis revealed that the vulnerability originates in the VidExoBrokerIoctlReceive function, which is tasked with handling Ioctl requests within Hyper-V. The vulnerability arises due to insufficient validation of data in IRP (I/O Request Packet) structures. Specifically, an attacker can exploit this flaw by sending malicious IRP requests via the VidExoBrokerIoctlSend function. This leads to an integer overflow in the kernel’s non-paged pool, which subsequently causes a buffer overflow and results in a BSOD (Blue Screen of Death).

__int64 __fastcall VidExoBrokerIoctlReceive(
__int64 VidExoObj,
struct _LIST_ENTRY *a2,
BrokerIrpDataHeader *Dest,
unsigned int OutputLen,
unsigned int *a5)
{
...

ReceivedIRP = (_IRP *)VidExoBrokerpFindAndDequeueSendIrpForFileObject(VidExoObj, a2);//[1] Sent by VidExoBrokerIoctlSend
v9 = ReceivedIRP;
if ( !ReceivedIRP )
{
...
}

In the PoC, the vulnerability is triggered by calling the affected functions, leading to a crash. However, more concerning is the potential for this vulnerability to be used for SYSTEM privilege escalation, which would grant the attacker control over the entire system.

The PoC exploit for CVE-2024-38080, which is publicly available on GitHub, demonstrates how an attacker can invoke these functions to take advantage of the overflow and crash the system. The availability of this exploit raises the stakes for organizations that rely on Hyper-V for critical workloads, as the PoC provides a roadmap for attackers to replicate the exploit.

Microsoft has confirmed the vulnerability and released patches in its July 2024 Patch Tuesday updates.

Related Posts: