cve-2025-21333 - 1day breakdown

Author: ghostbyt3

content/1day-breakdowns/cve-2025-21333.md

@@ -0,0 +1,151 @@
+---
+title:      "Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerabilitys"
+subtitle:   "Sample Subtitle"
+date:       2025-04-28
+author:     "Ghostbyt3"
+tags:    ["1day", "vkrnlintvsp.sys", "windows", "kernel", "heap"]
+categories: ["1Day Breakdown"]
+authorbox: true
+pager: true
+toc: true
+sidebar: "right"
+layout: "single"
+showTableOfContents: true
+---
+
+**CVE-2025-21333:** https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21333  
+**Vulnerability Type:** Heap-based Buffer Overflow  
+**Tested On:** vkrnlintvsp.sys - 10.0.22621.2506  
+
+## Description
+
+A vulnerability in the Windows Hyper-V NT Kernel Integration VSP driver exists due to a vulnerable function, `VkiRootAdjustSecurityDescriptorForVmwp()`, which can be invoked from user mode. This leads to a heap-based buffer overflow, ultimately resulting in privilege escalation.
+
+## Requirements
+
+To exploit this vulnerability, Windows Sandbox must be enabled in "Turn Windows features on or off". 
+
+![IMG](/img/cve-2025-21333/img.png)
+
+## Vulnerability analysis
+
+The vulnerability exists in the `VkiRootAdjustSecurityDescriptorForVmwp()` function of the `vkrnlintvsp.sys` driver, where the `Dacl` is user-controllable. The `memmove` operation uses `Dacl->AclSize` without verifying the user-supplied size, leading to a heap-based buffer overflow by copying unvalidated data into the Paged Pool.
+
+```c++
+__int64 __fastcall VkiRootAdjustSecurityDescriptorForVmwp(void *a1, char a2)
+{
+  struct _ACL *v4; // rdi
+  NTSTATUS ObjectSecurity; // ebx
+  __int16 v6; // bx
+  __int16 v7; // ax
+  WORD v8; // bx
+  struct _ACL *Pool2; // rax
+  int v10; // esi
+  unsigned __int8 DaclDefaulted[8]; // [rsp+20h] [rbp-50h] BYREF
+  PACL Dacl; // [rsp+28h] [rbp-48h] BYREF
+  PSID Sid; // [rsp+30h] [rbp-40h] BYREF
+  PSID P; // [rsp+38h] [rbp-38h] BYREF
+  PSECURITY_DESCRIPTOR SecurityDescriptor; // [rsp+40h] [rbp-30h] BYREF
+  _OWORD v17[2]; // [rsp+48h] [rbp-28h] BYREF
+  __int64 v18; // [rsp+68h] [rbp-8h]
+  unsigned __int8 DaclPresent; // [rsp+A0h] [rbp+30h] BYREF
+  unsigned __int8 MemoryAllocated; // [rsp+A8h] [rbp+38h] BYREF
+
+  Dacl = 0LL;
+  DaclDefaulted[0] = 0;
+  SecurityDescriptor = 0LL;
+  Sid = 0LL;
+  P = 0LL;
+  memset(v17, 0, sizeof(v17));
+  v18 = 0LL;
+  DaclPresent = 0;
+  v4 = 0LL;
+  MemoryAllocated = 0;
+  ObjectSecurity = ObGetObjectSecurity(a1, &SecurityDescriptor, &MemoryAllocated);
+  if ( ObjectSecurity >= 0 )
+  {
+    if ( !SecurityDescriptor )
+      goto LABEL_15;
+    ObjectSecurity = RtlGetDaclSecurityDescriptor(SecurityDescriptor, &DaclPresent, &Dacl, DaclDefaulted);
+    if ( ObjectSecurity < 0 )
+      goto LABEL_16;
+    if ( DaclPresent && Dacl )
+    {
+      ObjectSecurity = SeConvertStringSidToSid(L"S-1-5-83-0", &Sid);
+      if ( ObjectSecurity >= 0 )
+      {
+        ObjectSecurity = SeConvertStringSidToSid(
+                           L"S-1-15-3-1024-2268835264-3721307629-241982045-173645152-1490879176-104643441-2915960892-1612460704",
+                           &P);
+        if ( ObjectSecurity >= 0 )
+        {
+          v6 = RtlLengthSid(Sid);
+          v7 = RtlLengthSid(P);
+          v8 = Dacl->AclSize + v7 + v6 + 16;
+          Pool2 = (struct _ACL *)ExAllocatePool2(256LL, v8, 1867671894LL);
+          v4 = Pool2;
+          if ( Pool2 )
+          {
+            memmove(Pool2, Dacl, Dacl->AclSize);
+            v4->AclSize = v8;
+            v10 = a2 != 0 ? 2 : 0;
+            ObjectSecurity = RtlAddAccessAllowedAce(v4, 2u, v10 + 2031617, Sid);
+            if ( ObjectSecurity >= 0 )
+            {
+              ObjectSecurity = RtlAddAccessAllowedAce(v4, 2u, v10 + 2031617, P);
+              if ( ObjectSecurity >= 0 )
+              {
+                ObjectSecurity = RtlCreateSecurityDescriptor(v17, 1u);
+                if ( ObjectSecurity >= 0 )
+                {
+                  ObjectSecurity = RtlSetDaclSecurityDescriptor(v17, 1u, v4, 0);
+                  if ( ObjectSecurity >= 0 )
+                    ObjectSecurity = ObSetSecurityObjectByPointer(a1, 4LL, v17);
+                }
+              }
+            }
+          }
+          else
+          {
+            ObjectSecurity = -1073741801;
+          }
+        }
+      }
+    }
+    else
+    {
+LABEL_15:
+      ObjectSecurity = 0;
+    }
+  }
+LABEL_16:
+  if ( Sid )
+    ExFreePoolWithTag(Sid, 0);
+  if ( P )
+    ExFreePoolWithTag(P, 0);
+  if ( v4 )
+    ExFreePoolWithTag(v4, 0x6F526956u);
+  ObReleaseObjectSecurity(SecurityDescriptor, MemoryAllocated);
+  return (unsigned int)ObjectSecurity;
+}
+```
+
+## Exploit
+
+Tested on: Windows 11 23H2
+Working POC: https://github.com/ghostbyt3/WinDriver-EXP/tree/main/CVE-2025-21333/POC
+
+![IMG1](/img/cve-2025-21333/img1.png)
+
+## Acknowledgements
+
+- The original [PoC](https://github.com/MrAle98/CVE-2025-21333-POC) was developed by [Alessandro Iandoli](https://x.com/MrAle_98), on which the above POC is created.
+- [Corentin Bayet](https://x.com/onlytheduck) and [Paul Fariello](https://x.com/paulfariello) for their outstanding explanation of [Windows Pool](https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pool_overflow_exploitation_since_windows_10_19h1/SSTIC2020-Article-pool_overflow_exploitation_since_windows_10_19h1-bayet_fariello.pdf)
+- Yarden Shafir for the [IORING](https://windows-internals.com/one-i-o-ring-to-rule-them-all-a-full-read-write-exploit-primitive-on-windows-11/) method for an arbitrary Read/Write exploit primitive. 
+
+
+**References:**
+
+- https://infosecwriteups.com/cve-2025-21333-windows-heap-based-buffer-overflow-analysis-d1b597ae4bae
+- https://www.nccgroup.com/us/research-blog/cve-2021-31956-exploiting-the-windows-kernel-ntfs-with-wnf-part-1/
+- https://github.com/synacktiv/Windows-kernel-SegmentHeap-Aligned-Chunk-Confusion/