Full Report
The author of this post was exploiting a Windows vulnerability to escape the Chrome renderer Sandbox to become SYSTEM. The original vulnerability is a time of check, time of use (TOCTOU) issue on a user-provided pointer. By changing the userland pointer to be a kernel address, we obtain a partially controlled write. In just Windows, this was a straightforward exploit. Once you use the bug to overwrite the Control bitfield in SepMediumDaclSd, it will skip the integrity check. Next, get the token of the renderer process via NtQueryInformationSystem. These steps are the same for the Chrome sandbox escape, but there are a few additional steps to take. From the Chrome sandbox, this wasn't the case, though. The integrity level is untrusted, the job disallows the creation of child processes, and there was no privileges on the token. So, using this vulnerability requires some more work to exploit in this case. When trying to call NtQuerySystemInformation to get a token, they got an access denied error because the renderprocess runs at a low privilege level. To fix this issue, they used the previous OOB write to overwrite the SE_SACL_PRESENT field to skip the integrity control check. Since this was a 32-byte write, they had to be clever at the byte offset to do this at though. The second issue was another access issue around job integrity. The renderer process cannot call CreateProcess. The solution? Inject the code from the renderer process into another process (winlogon.exe) and have it call CreateProcess instead. This gives them code execution as a privileged user from Chrome!
Analysis Summary
# Vulnerability: Windows Kernel TOCTOU Leading to Chrome Renderer Sandbox Escape and SYSTEM Privilege Escalation
## CVE Details
- CVE ID: CVE-2024-30088
- CVSS Score: N/A (Not calculated in the source, but relates to EoP from Medium Integrity to SYSTEM)
- CWE: CWE-362 (Race Condition) - Inferred from Time-of-Check Time-of-Use (TOCTOU) description.
## Affected Systems
- Products: Windows Kernel (`ntoskrnl.exe`)
- Versions: Analysis performed on Windows 23H2. Vulnerability exists prior to Windows 24H2.
- Configurations: Affects processes running at Medium Integrity Level (for initial kernel exploit) and processes restricted by the Chrome Renderer Sandbox (Untrusted Integrity Level) for the chained escape.
## Vulnerability Description
The vulnerability is rooted in **CVE-2024-30088**, a Time of Check to Time of Use (TOCTOU) race condition within the Windows Kernel function `NtQueryInformationToken` when queried with `TOKEN_ACCESS_INFORMATION`.
The exploitation starts by leveraging this kernel TOCTOU flaw to achieve a partially controlled write primitive in kernel space by manipulating a user-provided pointer.
1. **Initial Kernel Exploit (EoP to SYSTEM):** The controlled write is used to overwrite the `Control` bitfield within the security descriptor structure `SepMediumDaclSd`. This overwrite successfully skips integrity checks. This allows an attacker, starting at least from Medium Integrity, to escalate privileges, typically leading to SYSTEM.
2. **Chrome Sandbox Chaining:** To escape the Chrome Renderer Sandbox (which runs at Untrusted Integrity Level and has restrictive Job Objects), additional steps were required:
* Directly calling `NtQuerySystemInformation` to fetch the token failed due to Access Denied errors stemming from the low integrity level.
* The initial OOB write primitive was reused precisely (via byte offset manipulation due to the 32-byte write constraint) to overwrite the `SE_SACL_PRESENT` field, bypassing the integrity control check on the token structure.
* To bypass the Job Object restriction preventing the creation of child processes (`CreateProcess`), the attacker injected shellcode into a higher-privileged process, specifically **`winlogon.exe`**, instructing it to spawn the desired process (e.g., `cmd.exe`).
## Exploitation
- Status: PoC available for original CVE, chain demonstrated successful execution in the specified environment.
- Complexity: High (Requires chaining two distinct kernel and sandbox bypasses, precise byte-level manipulation, and environmental awareness regarding Hyper-V setup).
- Attack Vector: Local (Exploitation begins from a user-controlled context within the sandboxed process, escalating its privileges).
## Impact
- Confidentiality: High (Achieves SYSTEM privileges, granting access to all system data).
- Integrity: High (Achieves SYSTEM privileges, full control over the operating system).
- Availability: Medium (Potential for destabilizing the system during exploitation, though the goal was privilege escalation).
## Remediation
### Patches
- The article implies that patches for CVE-2024-30088 resolve the underlying TOCTOU issue, although specific patch versions are not listed other than mentioning the analysis was done on a machine *before* 24H2. Users should apply the latest cumulative updates for their Windows versions released after the advisory for CVE-2024-30088.
### Workarounds
- The successful chain relied on exploiting the kernel vulnerability followed by manipulating process tokens and impersonating/injecting into another process (`winlogon.exe`). No direct, reliable workarounds for the kernel TOCTOU flaw are specified other than patching.
- **Environmental Consideration:** If using Hyper-V, disabling **Enhanced Session Mode** was necessary for the final shell to appear correctly, indicating this mode might interact differently with target processes like `winlogon.exe`.
## Detection
- **Indicators of Compromise (IOCs):**
* Unexpected modification or access attempts on security descriptor structures (`SepMediumDaclSd`).
* Kernel modules attempting to call `NtQueryInformationToken` while a race condition window related to `TokenInformation` buffer usage is open.
* Arbitrary code execution originating from a Chrome renderer PID being injected into a high-privileged process such as `winlogon.exe`.
* Changes to token privileges (e.g., enabling `SeDebugPrivilege`) on renderer tokens not initiated by expected system behavior.
- **Detection Methods and Tools:**
* Kernel debugging tools or EDR solutions capable of monitoring system call arguments and user-controlled buffer manipulation within sensitive kernel functions like `NtQueryInformationToken`.
* Monitoring for cross-process memory injection targeting critical processes like `winlogon.exe` from low-integrity contexts.
## References
- Vendor Advisories: Search for Microsoft Security Updates referencing CVE-2024-30088.
- Relevant Links:
* STAR Labs Blog Post: hxxps://starlabs.sg/blog/2025/07-fooling-the-sandbox-a-chrome-atic-escape/
* Public POC (for initial exploit): hxxps://github.com/tykawaii98/CVE-2024-30088