Full Report
When hunting for zero days, where do you even start? According to the author, sticking to target is good. In this case, their had been several reference counting bugs recently. When they remembered that this code had similar patterns, they decided to audit the entire flow. Reference counting is done when an object will have more than a single reference to it. Once it has no references, it can be safely destroyed. Within some cleanup code for MSKSSRV, they noticed some bad code patterns. First, around the process ID. Process context matters because kernel mode code operators in a single address space, where each process has its own user mode context. So, there's some code that checks if the process is the initializing or registering process for an object. The code was cleaning up FS information, which was weird because most Dispatch routines run in an arbitrary process context and DispatchClose() was running in an arbitrary process context. Although this wasn't a bug, it was clearly poorly written code that should be looked at more. They also noticed several cases where a function can call decrement the reference count more than should be possible. Although this looks like a use after free, there's a higher level object being locked that prevents that from happening. Still, weird code deserves a closer look! From here, they created a detailed map of the reference counting from different types of processes and calls. Eventually, they were able to come up with a way to trigger a UAF from too many things being cleaned up and pointers not being cleared. So, 3 references can actually there and a single extra one is subtracted, freeing the object. The bug isn't trivial to hit but can be exploited, which is the next post in the series. The actual vulnerability stems from not setting the FsContext pointer to NULL during the cleanup. Crazy enough, in previous versions of the code, this was there! How did this appear again? The feature flag Feature_Servicing_TeamsUsingMediaFoundationCrashes does not set this to NULL. In Windows 10, this was always on. In Windows 11, this flag was missing, resulting in the vulnerability being present. With the flag turned on, it causes a crash on Microsoft teams, which is likely why they turned this flag off. The patch checks the thread's token against two specific security IDs that are privileged. The author mentions that there is likely an Admin to Kernel privilege escalation here, as it doesn't fix the underlying memory corruption issue. But, Microsoft doesn't care about this type priv esc so it's not a big deal. A fun article on a Pwn2Own entry!
Analysis Summary
# Vulnerability: Use-After-Free in Microsoft Streaming Service (MSKSSRV.SYS)
## CVE Details
- **CVE ID:** CVE-2023-29360 (Based on Pwn2Own context provided)
- **CVSS Score:** 8.4 (High)
- **CWE:** CWE-416 (Use After Free), CWE-672 (Operation on a Resource after Expiration or Release)
## Affected Systems
- **Products:** Microsoft Windows
- **Versions:** Windows 11 (Initial releases and specific builds where the servicing feature flag was absent).
- **Configurations:** Systems where `Feature_Servicing_TeamsUsingMediaFoundationCrashes` is disabled or missing. Note: Windows 10 was largely unaffected as the flag was consistently enabled.
## Vulnerability Description
The vulnerability is a Use-After-Free (UAF) issue within the Microsoft Streaming Service (`MSKSSRV.SYS`). The flaw resides in the reference counting logic and the cleanup of File System (FS) information.
Specifically, the driver fails to set the `FsContext` pointer to `NULL` during the cleanup routine. This allows a scenario where multiple references can be decremented beyond the actual allocation count. This regression occurred because a specific feature flag (`Feature_Servicing_TeamsUsingMediaFoundationCrashes`), which previously contained the fix for this behavior, was omitted in Windows 11 builds—likely because the fix caused stability issues (crashes) in Microsoft Teams. An attacker can manipulate process contexts and specific Dispatch routines to trigger an extra reference decrement, freeing the object while pointers to it still exist.
## Exploitation
- **Status:** PoC Available / Publicly Documented (Pwn2Own entry).
- **Complexity:** High (Requires precise mapping of reference increments/decrements and bypassing synchronization locks).
- **Attack Vector:** Local (Requires local access to execute code).
## Impact
- **Confidentiality:** High (Potential for kernel-mode data leakage).
- **Integrity:** High (Memory corruption allows for unauthorized modification of kernel structures).
- **Availability:** High (Can lead to system-wide crashes/BSOD).
## Remediation
### Patches
- Microsoft addressed this in June 2023. Users should ensure they are on the latest cumulative update for Windows 11.
- The patch introduced a security check that verifies the thread's token against two specific privileged Security Identifiers (SIDs).
### Workarounds
- No official workarounds are available other than applying security updates. Since this transition involves kernel-mode drivers, disabling the service may impact media foundation functionality.
## Detection
- **Indicators of Compromise:** Unusual system crashes (BSOD) related to `MSKSSRV.SYS`.
- **Detection Methods:** Monitor for unauthorized attempts to escalate privileges from Administrator to System/Kernel. Security teams can use kernel-mode auditing tools to watch for suspicious interactions with the MSKSSRV dispatch routines.
## References
- Microsoft Security Advisory: [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29360](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29360)
- Original Research: [https://synacktiv.com/](https://synacktiv[.]com/) (Referencing the Pwn2Own entry mentioned in the article).
- Defanged Link: hxxps[://]www[.]ibm[.]com/think/x-force/