Summary: Security researchers have disclosed a critical zero-day vulnerability in Windows, tracked as CVE-2024-30051, that allows attackers to escalate privileges to SYSTEM level through a heap-based buffer overflow. The vulnerability poses significant risks, enabling arbitrary code execution and potential malware deployment, including QakBot.
Threat Actor: Kaspersky researchers | Kaspersky researchers
Victim: Microsoft Windows | Microsoft Windows
Key Point :
- The vulnerability, rated 7.8 on the CVSS scale, is caused by a heap-based buffer overflow in the Desktop Window Manager (DWM) core library.
- Exploitation allows attackers to execute arbitrary code with SYSTEM privileges, potentially leading to malware attacks like QakBot.
- The flaw affects various Windows versions, and a proof-of-concept exploit has been made publicly available, increasing the urgency for patching.
- Microsoft has released a patch for CVE-2024-30051 in its May 2024 Patch Tuesday update, and users are urged to apply it immediately.
- Organizations should monitor for suspicious activity and update security tools to recognize indicators of compromise related to this vulnerability.
Security researchers published the technical details and a proof-of-concept exploit (PoC) code for a zero-day vulnerability in Windows, tracked as CVE-2024-30051, which could allow attackers to escalate their privileges to SYSTEM level. This critical flaw, rated 7.8 on the CVSS scale, is caused by a heap-based buffer overflow in the Desktop Window Manager (DWM) core library. Exploitation of this vulnerability can result in arbitrary code execution with system-level privileges, opening the door to potential malware attacks, including the deployment of payloads like QakBot.
The vulnerability stems from a size miscalculation error in the dwmcore.dll library, which is responsible for rendering Windows’ graphical user interface elements, including 3D transitions and glass window frames. Discovered by Kaspersky researchers, the flaw exists in the CCommandBuffer::Initialize method of the DWM library. This bug can be exploited by a local user to trigger a heap overflow, allowing them to execute arbitrary code with SYSTEM integrity.
An attacker can craft a DLL and load it into the DWM process, which will run with elevated privileges, enabling the attacker to take control of the system. The CVE-2024-30051 vulnerability affects various Windows versions, and the proof-of-concept (PoC) exploit code has been made publicly available on GitHub, increasing the urgency for patching.
The exploit for CVE-2024-30051 involves a series of steps where the attacker performs a heap spray in the DWM process to manipulate memory. By releasing specific parts of the sprayed heap, a heap overflow is triggered in dwmcore.dll, leading to the execution of the attacker’s code. Once the exploit succeeds, the attacker can launch a command prompt or load malicious code with full SYSTEM privileges.
In real-world attacks, this vulnerability has been exploited to deliver malware such as QakBot, which is commonly used for credential theft and ransomware distribution. The ability to escalate privileges makes this flaw particularly dangerous, as it allows attackers to bypass many security controls and gain complete control over compromised systems.
Microsoft has patched CVE-2024-30051 in its May 2024 Patch Tuesday update. Users and system administrators are strongly encouraged to apply this patch immediately to prevent exploitation. Given the public availability of the PoC exploit code, unpatched systems are at a heightened risk of attack.
In addition to applying the patch, organizations should monitor their networks for any suspicious activity. Antivirus tools and endpoint detection solutions should be updated to recognize indicators of compromise associated with this vulnerability.