
Casey
271 posts

Casey
@_subTee
I like to read books. Ephemeral posts. research, founder Alloy Secure Group https://t.co/0hLYuErIjI












Lazarus used this as a zero-day. No BYOVD needed. The vulnerable driver is already on every Windows machine. CVE-2024-21338 exploits appid.sys (AppLocker's driver) to call a user-controlled function pointer in kernel mode. The exploit uses ExpProfileDelete as a valid kCFG target to decrement PreviousMode from 1 to 0. Once PreviousMode is flipped, NtWriteVirtualMemory and NtReadVirtualMemory skip all security checks. Full admin-to-kernel LPE with token manipulation. Works on Windows 10 and 11 with HVCI enabled. Full PoC included. If you just read the PreviousMode mitigation post by @yarden_shafir, this is the CVE that forced Microsoft to add it. hakaisecurity.io/cve-2024-21338… github.com/hakaioffsec/CV… Author: @HakaiOffsec #WindowsInternals #ExploitDevelopment #InfoSec









