You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/1day-breakdowns/cve-2025-21333.md
+3-12Lines changed: 3 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,15 +13,13 @@ layout: "single"
13
13
showTableOfContents: true
14
14
---
15
15
16
+
A vulnerability in the Windows Hyper-V NT Kernel Integration VSP driver exists due to a vulnerable function, `VkiRootAdjustSecurityDescriptorForVmwp()`, which can be invoked from user mode. This leads to a heap-based buffer overflow, ultimately resulting in privilege escalation.
A vulnerability in the Windows Hyper-V NT Kernel Integration VSP driver exists due to a vulnerable function, `VkiRootAdjustSecurityDescriptorForVmwp()`, which can be invoked from user mode. This leads to a heap-based buffer overflow, ultimately resulting in privilege escalation.
24
-
25
23
## Requirements
26
24
27
25
To exploit this vulnerability, Windows Sandbox must be enabled in "Turn Windows features on or off".
@@ -135,14 +133,7 @@ The kernel has a mechanism to register and use specific callbacks for some prede
135
133
136
134
In this case, it was discovered that `VkiRootCalloutCreateEvent()` is one of the callback functions that can be invoked by `NtCreateCrossVmEvent()`. Therefore, to reach the vulnerable function call, we need to invoke `NtCreateCrossVmEvent()` from user space.
`NtCreateCrossVmEvent()` is an undocumented function that takes an `OBJECT_ATTRIBUTES` structure as an argument. This structure includes a `SecurityDescriptor` (`SECURITY_DESCRIPTOR`), which contains the security information associated with the object — including the `Dacl`. This is where the payload should be injected in order to trigger the vulnerability.
0 commit comments