POC详情: 74d277884f34c3980637198f48b580b60c45e5df

来源
关联漏洞
标题: Microsoft Windows Cloud Files Mini Filter Driver 安全漏洞 (CVE-2024-26160)
描述:Microsoft Windows Cloud Files Mini Filter Driver是美国微软(Microsoft)公司的一款云文件过滤器驱动程序。 Microsoft Windows Cloud Files Mini Filter Driver存在安全漏洞。以下产品和版本受到影响:Windows 11 Version 22H2 for ARM64-based Systems,Windows 11 Version 22H2 for x64-based Systems,Windows 11 Ve
描述
cldflt.sys information disclosure vulnerability (KB5034765 - KB5035853, Win 11).
介绍
# CVE-2024-26160 (cldflt.sys information disclosure vulnerability)

There's small writeup about **CVE-2024-26160**, what can be found in the February patch (**KB5034765**, Windows 11 22H2, Windows 11 23H2). The vulnerability has been closed in the March patch (**KB5035853**).

## Analysis

The vulnerability is located in the `CldiPortProcessGetRangeInfo` function, it does **not** check for the buffer size passed from the user application. Since the size can be controlled by the user, `memmove`, which copies the returned information, can grab a neighboring memory pool that contains kernel addresses if the size is correctly passed.

![no-check](img/no-check.png)

![vuln](img/vuln.png)

The March patch (**KB5035853**) introduces an additional check for buffer size.

![patch](img/patch.png)

Under normal conditions, the vulnerable function is called when the `CfGetPlaceholderRangeInfoForHydration` function is called, it contains a fixed size for the returned buffer, so it is necessary to construct a data packet that will reach the vulnerable function call. The call of the required function passes through the `CldiPortNotifyMessage` function, where all packets, including some specific ones, must be validated.

![packet-7](img/packet-7.png)

It is important to pass the message type in order to trigger the leak.

![call](img/call.png)

If the data packet is properly formed, we will see address leakage.

![leak](img/leak.png)
文件快照

[4.0K] /data/pocs/74d277884f34c3980637198f48b580b60c45e5df ├── [1.7K] CVE-2024-26160.sln ├── [6.5K] CVE-2024-26160.vcxproj ├── [ 887] CVE-2024-26160.vcxproj.filters ├── [ 973] defs.h ├── [4.0K] img │   ├── [9.4K] call.png │   ├── [102K] leak.png │   ├── [7.8K] no-check.png │   ├── [ 14K] packet-7.png │   ├── [ 16K] patch.png │   └── [ 18K] vuln.png ├── [9.0K] main.cpp └── [1.4K] README.md 1 directory, 12 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。