An elevation of privilege vulnerability in the Kernel Transaction Manager (KTM) driver . It is exploited via a race condition that occurs when file transaction in the kernel mode are not handled properly. Successful exploitation can lead to remote code execution on the target via browsers. it can be leveraged sandbox escape in browsers. CVE-2018-8611 has been assigned to track this vulnerability. Microsoft has addressed this issue as part of December 2018 patch release.
– Named pipe: Pipes is inter-process communication technique. basically it is a shared memory space which is used by multiple processes to communicate with each other.
– Enlistment object: Is used to associate transaction and a resource manager. A change in transaction state is notified to resource manager by KTM.
To exploit this vulnerability we create a named pipe along with a pair of new transaction manager objects, resource manager objects, transaction objects. The transaction objects are used to mark read/write operations on the pipe. We also create multiple enlistment objects for one transaction object and a single enlistment object for the other .After which we spawn multiple threads that are bound to a single CPU core. Each thread calls different functions NtQueryInformationResourceManager, NtRecoverResourceManager,NtQueryInformationThread.
The thread calling NtQueryInformationThread checks the status of syscall NtRecoverResourceManager, A successful call can be used to as a flag to check if a race condition has occurred, if so any write function on the in question pipe will result in memory corruption. This vulnerability is being exploited in the wild by APT actors such as FruityArmor and SandCat.
Microsoft has addressed this issue in the December 2018 patch release. We request organizations to apply the latest patches as soon as possible. Qualys customers can scan their network using QID: 91488 to detect vulnerable machines.
Please continue to follow Qualys Threat Protection for coverage on vulnerabilities.