|
| 1 | +--- |
| 2 | +title: "CVE-2025-60719 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability" |
| 3 | +pubDate: 2025-12-20 |
| 4 | +author: "Ghostbyt3" |
| 5 | +tags: ["1day", "afd.sys", "windows", "kernel"] |
| 6 | +description: "Race condition use-after-free vulnerability in Windows AFD driver (`afd.sys`) allowing local privilege escalation to SYSTEM. Occurs when one thread queries socket information (`AFD_MAX_PATH_SEND_SIZE`) while another thread simultaneously unbinds the socket, causing the first thread to dereference freed kernel memory." |
| 7 | +--- |
| 8 | + |
| 9 | +**CVE-2025-60719:** https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60719 |
| 10 | +**Vulnerability Type:** Untrusted Pointer Dereference |
| 11 | +**Driver Version:** afd.sys - 10.0.26100.7019 |
| 12 | + |
| 13 | +## Vulnerability analysis |
| 14 | + |
| 15 | +The Windows Ancillary Function Driver for WinSock is a kernel-mode component that implements low-level socket handling for Windows. It's a critical system driver that serves as the bridge between user-mode applications and the kernel networking stack. This is a Windows component that is responsible for serving the Winsock API. |
| 16 | + |
| 17 | +The vulnerability exists in the following functions, which all follow a similar methodology: `AfdGetInformation`, `AfdSocketTransferEnd`, and `AfdSocketTransferBegin`. |
| 18 | + |
| 19 | +By examining `AfdGetInformation`, which is used to retrieve information about a socket, |
| 20 | + |
| 21 | +**Line 81** – The function checks whether `Src` is not equal to **5**. Here, `Src` corresponds to the `AFD_INFORMATION` structure provided via the input buffer. The vulnerability is associated with the `AFD_MAX_PATH_SEND_SIZE` class/type, so the `InformationType` must be set to **5** to reach the vulnerable code path. If this condition is met, execution jumps to **line 171**. |
| 22 | + |
| 23 | +**Line 171** – At this point, `v11` represents an `AFD_ENDPOINT` structure. The code performs three checks in order to enter the conditional statement: |
| 24 | + |
| 25 | +* It checks whether `AFD_ENDPOINT->InLine` is `FALSE`. |
| 26 | +* `a5` represents the buffer length, and the code verifies that it is greater than `0x10`. |
| 27 | +* It checks whether `AFD_ENDPOINT->State` is either `3` (`AfdEndpointStateConnected`) or `4` (`AfdEndpointStateCleanup`) (the exact semantic meaning of these states is inferred and not fully confirmed). |
| 28 | + |
| 29 | +**Line 178** – Once all conditions are satisfied, the function calls `IoAllocateMDL()` to allocate a Memory Descriptor List (MDL) for mapping the user-supplied buffer. The buffer size is passed as the second argument (`a5`). |
| 30 | + |
| 31 | +**Line 193** – The specified virtual pages are then locked in memory. |
| 32 | + |
| 33 | +**Line 197** – Finally, the function calls `AfdIssueDeviceControl()`, which sends an IRP to the specified device object. |
| 34 | + |
| 35 | +The race window exists between the `AFD_ENDPOINT` state checks and the call to `AfdIssueDeviceControl()`. Since `AfdGetInformation()` is used to query socket information, if the socket is unbound (released) after the endpoint checks but before the IOCTL is issued, the IRP may dereference pointers that have already been freed. This can lead to a use-after-free condition and potentially trigger a system bugcheck. |
| 36 | + |
| 37 | + |
| 38 | + |
| 39 | + |
| 40 | +## Exploit |
| 41 | + |
| 42 | +Tested on: Windows 11 24H2 |
| 43 | +POC: https://github.com/ghostbyt3/WinDriver-EXP/blob/main/CVE-2025-60719/POC/main.cpp |
| 44 | + |
| 45 | + |
| 46 | + |
| 47 | + |
| 48 | + |
| 49 | +## Patch Analysis |
| 50 | + |
| 51 | +Analyzing the patched version of the `AfdGetInformation()` function, new functions have been introduced to address this issue. First, the `AfdPreventUnbind()` function (line 219) is called with the `AFD_ENDPOINT`. This function ensures that the socket cannot be unbound during the critical section. |
| 52 | +Next, the function calls `AfdIssueDeviceControl()` (line 242), which sends an IRP to the specified device object. After this operation completes, another newly introduced function, `AfdReallowUnbind()` (line 251), is called to re-enable the unbind operation for the socket. |
| 53 | +This sequence prevents the socket from being unbound while the IOCTL request is in progress, thereby eliminating the race condition. |
| 54 | + |
| 55 | + |
| 56 | + |
| 57 | + |
| 58 | +**References:** |
| 59 | + |
| 60 | +- https://www.akamai.com/blog/security-research/inside-fix-ai-root-cause-analysis-cve-2025-60719 |
0 commit comments