POC详情: 9be279aa2fb7263428452df6da7eec24223cf84c

来源
关联漏洞
标题: Microsoft Windows Cloud Files Mini Filter Driver 安全漏洞 (CVE-2024-26160)
描述:Microsoft Windows Cloud Files Mini Filter Driver是美国微软(Microsoft)公司的一款云文件过滤器驱动程序。 Microsoft Windows Cloud Files Mini Filter Driver存在安全漏洞。以下产品和版本受到影响:Windows 11 Version 22H2 for ARM64-based Systems,Windows 11 Version 22H2 for x64-based Systems,Windows 11 Ve
描述
cldflt.sys information disclosure vulnerability (KB5034765 - KB5035853, Win 11).
介绍
# CVE-2024-26160 (cldflt.sys information disclosure vulnerability)

There's small writeup about **CVE-2024-26160**, what can be found in the February patch (**KB5034765**, Windows 11 22H2, Windows 11 23H2). The vulnerability has been closed in the March patch (**KB5035853**).

## Analysis

The vulnerability is located in the `CldiPortProcessGetRangeInfo` function, it does **not** check for the buffer size passed from the user application. Since the size can be controlled by the user, `memmove`, which copies the returned information, can grab a neighboring memory pool that contains kernel addresses if the size is correctly passed.

![no-check](img/no-check.png)

![vuln](img/vuln.png)

The March patch (**KB5035853**) introduces an additional check for buffer size.

![patch](img/patch.png)

Under normal conditions, the vulnerable function is called when the `CfGetPlaceholderRangeInfoForHydration` function is called, it contains a fixed size for the returned buffer, so it is necessary to construct a data packet that will reach the vulnerable function call. The call of the required function passes through the `CldiPortNotifyMessage` function, where all packets, including some specific ones, must be validated.

![packet-7](img/packet-7.png)

It is important to pass the message type in order to trigger the leak.

![call](img/call.png)

If the data packet is properly formed, we will see address leakage.

![leak](img/leak.png)
文件快照
 [4.0K]  /data/pocs/9be279aa2fb7263428452df6da7eec24223cf84c
├── [1.7K]  CVE-2024-26160.sln
├── [6.5K]  CVE-2024-26160.vcxproj
├── [ 887]  CVE-2024-26160.vcxproj.filters
├── [ 973]  defs.h
├── [4.0K]  img
│   ├── [9.4K]  call.png
│   ├── [102K]  leak.png
│   ├── [7.8K]  no-check.png
│   ├── [ 14K]  packet-7.png
│   ├── [ 16K]  patch.png
│   └── [ 18K]  vuln.png
├── [9.0K]  main.cpp
└── [1.4K]  README.md

1 directory, 12 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。