CVE-2024-30088 — NT Kernel TokenAccessInformation TOCTOU
Last updated: 2026-04-28 Component: ntoskrnl.exe —
AuthzBasepCopyoutInternalSecurityAttributesBug Class: Time-of-check / Time-of-use (TOCTOU) race in copy-out of_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATIONPatch: June 2024 Patch Tuesday Exploited ITW: Yes — APT34 / OilRig (Iran-aligned) Discoverers: carrot_c4k3 (Pwn2Own Vancouver 2024 — Windows LPE category, 50% prize / $15,000) Related: Race Conditions, IORING, Primitives Tags:toctou,ntoskrnl,iouring,kernel-mode,lpe
Summary
A TOCTOU race in NtQueryInformationToken(TokenAccessInformation) allows a low-privileged user-mode caller to redirect a kernel-mode copy-out into arbitrary kernel memory. Because Windows still doesn’t enforce SMAP, an attacker can swap a UNICODE_STRING.Buffer field between validation and use so the kernel writes attacker-controlled bytes to a kernel address of choice — turned into kernel R/W via an IORING object.
Patched in June 2024 and weaponized by APT34 / OilRig within months.
Root cause
The vulnerable function is AuthzBasepCopyoutInternalSecurityAttributes. When the kernel copies a token’s SecurityAttributesList to user mode, it builds an array of _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION entries directly in the user-supplied output buffer, then calls RtlCopyUnicodeString and AuthzBasepCopyoutInternalSecurityAttributeValues to copy each Name and Value.
RtlCopyUnicodeString does no destination validation — it assumes a kernel-mode destination. With the destination living in attacker-mapped memory, the attacker can race the second copy: one thread keeps calling NtQueryInformationToken, while a second thread continually flips the Buffer pointer of the staged UNICODE_STRING to a chosen kernel address. The kernel reads the swapped pointer between the validation and the copy, then writes the next chunk into kernel memory.
This is a write-what-where primitive scoped to the bytes the kernel was about to copy (the attribute name string, e.g. TSA://ProcUnique — 32 bytes).
Exploitation
The carrot_c4k3 chain:
- Heap-shape an IO Ring so an
IORING_OBJECT.RegBufferspointer lives at a known offset. The exploit writes 28 bytes preceding it to corrupt the lower 4 bytes of the pointer, plus a 32-byte string (“TSA://ProcUnique”). - Use the TOCTOU write to rewrite the lower bytes of
RegBuffersso it points to a user-mapped fake_IOP_MC_BUFFER_ENTRYarray. - One controlled kernel write before the kernel notices the corruption — the trick is to NULL-out the adjacent
CompletionUserEventto delay the crash. - Promote to AAR/AAW through
BuildIoRingWriteFile/BuildIoRingReadFileagainst fake buffer entries (the standard IORING primitive — see IORING). - Token swap. Locate the current process’s
EPROCESS, copy the SYSTEM token onto it, return.
On Xbox, the chain pivots through a prefetch side-channel for the kernel base leak instead of NtQuerySystemInformation (suppressed without privilege).
ITW — APT34 / OilRig
Microsoft and external trackers attribute observed exploitation to APT34 (OilRig). Used post-foothold for SYSTEM elevation; pairs naturally with phishing or webshell access on government / energy targets in the Middle East. Once the bug was public via Pwn2Own writeups, weaponization spread quickly — the bug is conceptually simple and the IORING-based promotion is now standard Windows-LPE tradecraft.
Detection
NtQueryInformationTokencalls withTokenAccessInformationfrom non-typical processes; tight loops are a strong signal.- IORING objects whose
RegBufferspointer is within the user-mode VA range. - Sudden token impersonation / SYSTEM elevation immediately after an information-class query.
References
- carrot_c4k3 — CVE-2024-30088: Pwning Windows Kernel @ Pwn2Own Vancouver 2024 (Plus Xbox) — https://exploits.forsale/pwn2own-2024/
- Rapid7 —
cve_2024_30088_authz_basepMetasploit module - Shira Borochovich — CVE-2024-30088: Kernel-Level TOCTOU Vulnerability Abused by APT34 for Privilege Escalation in Windows (Medium)
- AttackerKB — CVE-2024-30088 topic
- Microsoft MSRC — CVE-2024-30088 advisory