关联漏洞
描述
cldflt.sys information disclosure vulnerability (KB5034765 - KB5035853, Win 11).
介绍
# CVE-2024-26160 (cldflt.sys information disclosure vulnerability)
There's small writeup about **CVE-2024-26160**, what can be found in the February patch (**KB5034765**, Windows 11 22H2, Windows 11 23H2). The vulnerability has been closed in the March patch (**KB5035853**).
## Analysis
The vulnerability is located in the `CldiPortProcessGetRangeInfo` function, it does **not** check for the buffer size passed from the user application. Since the size can be controlled by the user, `memmove`, which copies the returned information, can grab a neighboring memory pool that contains kernel addresses if the size is correctly passed.


The March patch (**KB5035853**) introduces an additional check for buffer size.

Under normal conditions, the vulnerable function is called when the `CfGetPlaceholderRangeInfoForHydration` function is called, it contains a fixed size for the returned buffer, so it is necessary to construct a data packet that will reach the vulnerable function call. The call of the required function passes through the `CldiPortNotifyMessage` function, where all packets, including some specific ones, must be validated.

It is important to pass the message type in order to trigger the leak.

If the data packet is properly formed, we will see address leakage.

文件快照
[4.0K] /data/pocs/74d277884f34c3980637198f48b580b60c45e5df
├── [1.7K] CVE-2024-26160.sln
├── [6.5K] CVE-2024-26160.vcxproj
├── [ 887] CVE-2024-26160.vcxproj.filters
├── [ 973] defs.h
├── [4.0K] img
│ ├── [9.4K] call.png
│ ├── [102K] leak.png
│ ├── [7.8K] no-check.png
│ ├── [ 14K] packet-7.png
│ ├── [ 16K] patch.png
│ └── [ 18K] vuln.png
├── [9.0K] main.cpp
└── [1.4K] README.md
1 directory, 12 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。