You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The kernel has a mechanism to register and use specific callbacks for some predetermined drivers. When the specific driver gets loaded, the driver provides a table which contains list of callbacks that the kernel can use. During the initialization, the kernel calls `ExRegisterHost()` function with some specific inputs this is specific for each driver to register some predetermined unexported functions.
135
+
136
+
In this case, it was discovered that `VkiRootCalloutCreateEvent()` is one of the callback functions that can be invoked by `NtCreateCrossVmEvent()`. Therefore, to reach the vulnerable function call, we need to invoke `NtCreateCrossVmEvent()` from user space.
`NtCreateCrossVmEvent()` is an undocumented function that takes an `OBJECT_ATTRIBUTES` structure as an argument. This structure includes a `SecurityDescriptor` (`SECURITY_DESCRIPTOR`), which contains the security information associated with the object — including the `Dacl`. This is where the payload should be injected in order to trigger the vulnerability.
148
+
```c++
149
+
NtCreateCrossVmEvent(
150
+
_Out_ PHANDLE CrossVmEvent,
151
+
_In_ ACCESS_MASK DesiredAccess,
152
+
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
153
+
_In_ ULONG CrossVmEventFlags,
154
+
_In_ LPCGUID VMID,
155
+
_In_ LPCGUID ServiceID
156
+
);
157
+
```
158
+
134
159
## Exploit
135
160
136
-
Tested on: Windows 11 23H2
161
+
Tested on: Windows 11 23H2
137
162
Working POC: https://github.com/ghostbyt3/WinDriver-EXP/tree/main/CVE-2025-21333/POC
0 commit comments