How hackers can exploit the use-after-free vulnerability in the Windows driver (CVE-2024-38193)

There is a critical use-after-free vulnerability called CVE-2024-38193 in the Windows driver afd.sys. It affects the Registered I/O (RIO) extension for Windows sockets and allows attachments to take over the entire system remotely. The August 2024 Patch Tuesday update fixed the vulnerability.

The flaw lies in the RIO component of the afd.sys driver, which is used to optimize socket programming by minimizing system calls.

The problem occurs due to a race condition between two functions: AfdRioGetAndCacheBuffer() And AfdRioDereferenceBuffer(). This condition can be exploited by malicious actors to access shared storage, potentially resulting in privilege escalation.

Free API Vulnerability and Penetration Testing Best Practices Webinar: Free Registration

Technical analysis

The RIO extension facilitates efficient send and receive operations by allowing userland programs to register large buffers. However, the race condition between the mentioned functions can be triggered by manipulating the buffer registration and deregistration processes. This exploitation involves several complicated steps:

1. Heap spraying: Malicious users can fill the nonpaged pool with fake RIObuffer structures using named pipes, creating conditions suitable for exploitation.
2. Triggering Use-After-Free: The exploit requires two threads – one for continuous buffer usage and another for buffer deregistering. If the race condition succeeds, this results in entries in the cache pointing to shared RIOBuffer structures.
3. Privilege escalation: The exploit takes control of these structures and may overwrite critical kernel locations to gain NT AUTHORITY\SYSTEM privileges.

The primary exploitation strategy is to create fake RIOBuffer structures within the non-paged pool. By creating concurrent threads, attackers can manipulate the afd.sys driver to use these shared structures, allowing them to perform arbitrary reads and writes.

“This ultimately allows for an expansion of rights. Once the non-paged pool setup is complete, we can trigger the use-after-free vulnerability.”

To trigger it, the exploit needs to create two concurrent threads. one that continues to use the registered buffers by issuing read/write requests and the other that loops through all registered buffers and attempts to deregister them,” Exodus researchers said.

Microsoft has released a patch that fixes this vulnerability. We strongly recommend that users and organizations immediately apply the August 2024 security updates to mitigate potential exploitation risks. Administrators should also ensure that all systems are running updated antivirus software and that they are set up to automatically apply security updates.

CVE-2024-38193 highlights the importance of timely patch management and vigilant system monitoring. Although the vulnerability poses a significant risk, applying the latest security updates can effectively neutralize the threat.

Leveraging the 2024 MITER ATT&CK Results for SMB and MSP Cybersecurity Leaders – Join the Free Webinar