PoC Archive PoC Archive
High CVE-2024-21338 patched

CVE-2024-21338 — Local Privilege Escalation from Admin to Kernel

by hakaioffsec · 2026-05-15

CVSS 7.8/10
Severity
High
CVE
CVE-2024-21338
Category
binary
Affected product
Microsoft Windows AppLocker driver path (\\Device\\AppID)
Affected versions
Windows 10 and Windows 11 with HVCI enabled (per source repository)
Disclosed
2026-05-15
Patch status
patched

Metadata

FieldValue
Date Added2026-05-15
Author / Researcherhakaioffsec
CVE / AdvisoryCVE-2024-21338
Categorybinary
SeverityHigh
CVSS Score7.8 (estimated, CVSSv3)
StatusWeaponized
TagsLPE, Windows, AppLocker, token-impersonation, HVCI, admin-to-kernel, local-user

Affected Target

FieldValue
Software / SystemMicrosoft Windows AppLocker driver path (\\Device\\AppID)
Versions AffectedWindows 10 and Windows 11 with HVCI enabled (per source repository)
Language / PlatformC++ / Windows
Authentication RequiredYes (local administrator execution)
Network Access RequiredLocal only

Summary

This PoC targets CVE-2024-21338, a Windows local privilege-escalation issue that enables escalation from local administrator context toward kernel-level control. The exploit chain performs token impersonation and then abuses an AppLocker IOCTL handler with crafted input structures. On vulnerable systems, successful execution gives kernel-impact privileges and full host takeover potential.


Vulnerability Details

Root Cause

The public PoC indicates unsafe handling in AppLocker AipSmartHashImageFile IOCTL processing (0x22A018), where attacker-influenced fields can be used to manipulate kernel object state. The exploit uses leaked kernel addresses and a gadget path to modify thread PreviousMode behavior.

Attack Vector

A local attacker with administrator-level execution runs the PoC binary on Windows 10/11 with HVCI enabled. The code impersonates privileged tokens and sends a crafted request to \\Device\\AppID via native API calls.

Impact

Local privilege escalation from administrator to kernel-level capabilities, enabling complete compromise of the host.


Environment / Lab Setup

OS:          Windows 10 / Windows 11 (HVCI enabled)
Target:      Vulnerable AppLocker IOCTL path
Attacker:    Local administrator account in authorized test lab
Tools:       Visual Studio (C++), Windows SDK

Setup Steps


Proof of Concept

Step-by-Step Reproduction

  1. Compile PoC using Visual Studio (Release or Debug).
  2. Execute as local administrator on an authorized vulnerable lab machine.
  3. Observe logs showing AppID device handle opening, IOCTL dispatch, and PreviousMode transitions.

Exploit Code

See poc.cpp in this folder.

1
2
3
4
// Minimal concept snippet — full exploit in poc.cpp
log_debug("Sending IOCTL request to 0x22A018 (AipSmartHashImageFile)");
if (!this->send_ioctl_request(h_device, ioctl_buffer, ioctl_buffer_length))
    return false;

Expected Output

[.] AppLocker (AppId) handle opened: 0x...
[.] Sending IOCTL request to 0x22A018 (AipSmartHashImageFile)
[.] Current PreviousMode -> 0

Screenshots / Evidence

  • screenshots/ — add authorized lab screenshots showing successful exploitation indicators.

Detection & Indicators of Compromise

- Suspicious user-process access to \Device\AppID with IOCTL 0x22A018
- Token impersonation chain to SYSTEM/LOCAL SERVICE in unusual process context
- Native API patterns involving NtDeviceIoControlFile and NtWriteVirtualMemory

SIEM / IDS Rule (example):

Detect elevated user process -> \Device\AppID handle -> IOCTL 0x22A018
combined with privileged token impersonation behavior.

Remediation

ActionDetail
PatchApply Microsoft updates addressing CVE-2024-21338
WorkaroundRestrict execution of untrusted admin-level binaries and monitor AppID IOCTL activity
Config HardeningEnforce least privilege, application allowlisting, and endpoint telemetry for native API abuse

References


Notes

Auto-ingested from https://github.com/hakaioffsec/CVE-2024-21338 on 2026-05-15.

main.cpp
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
// Disclaimer: For authorized security research and educational use only.
#include "pch.hpp"
#include "poc.hpp"
#include "impersonate.hpp"

INT APIENTRY wWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PWSTR pCmdLine, int nCmdShow) {
    if (!impersonate->is_elevated()) {
        log_debug("You need to run this program as an administrator.");
        std::cin.get();
        return EXIT_FAILURE;
    }

    impersonate->impersonate_as_system();
    impersonate->impersonate_as_local_service();

    poc->act();

    std::cin.get();
    return EXIT_SUCCESS;
}