来源

关联漏洞

描述

cldflt.sys information disclosure vulnerability (KB5034765 - KB5035853, Win 11).

介绍

# CVE-2024-26160 (cldflt.sys information disclosure vulnerability)

There's small writeup about **CVE-2024-26160**, what can be found in the February patch (**KB5034765**, Windows 11 22H2, Windows 11 23H2). The vulnerability has been closed in the March patch (**KB5035853**).

## Analysis

The vulnerability is located in the `CldiPortProcessGetRangeInfo` function, it does **not** check for the buffer size passed from the user application. Since the size can be controlled by the user, `memmove`, which copies the returned information, can grab a neighboring memory pool that contains kernel addresses if the size is correctly passed.

![no-check](img/no-check.png)

![vuln](img/vuln.png)

The March patch (**KB5035853**) introduces an additional check for buffer size.

![patch](img/patch.png)

Under normal conditions, the vulnerable function is called when the `CfGetPlaceholderRangeInfoForHydration` function is called, it contains a fixed size for the returned buffer, so it is necessary to construct a data packet that will reach the vulnerable function call. The call of the required function passes through the `CldiPortNotifyMessage` function, where all packets, including some specific ones, must be validated.

![packet-7](img/packet-7.png)

It is important to pass the message type in order to trigger the leak.

![call](img/call.png)

If the data packet is properly formed, we will see address leakage.

![leak](img/leak.png)

文件快照

 [4.0K]  /data/pocs/74d277884f34c3980637198f48b580b60c45e5df
├── [1.7K]  CVE-2024-26160.sln
├── [6.5K]  CVE-2024-26160.vcxproj
├── [ 887]  CVE-2024-26160.vcxproj.filters
├── [ 973]  defs.h
├── [4.0K]  img
│   ├── [9.4K]  call.png
│   ├── [102K]  leak.png
│   ├── [7.8K]  no-check.png
│   ├── [ 14K]  packet-7.png
│   ├── [ 16K]  patch.png
│   └── [ 18K]  vuln.png
├── [9.0K]  main.cpp
└── [1.4K]  README.md

1 directory, 12 files

备注