Share
## https://sploitus.com/exploit?id=844CCD06-4D8F-55E6-B609-516775A872C6
# CVE-2024-26160 (cldflt.sys information disclosure vulnerability)

There's small writeup about **CVE-2024-26160**, what can be found in the February patch (**KB5034765**, Windows 11 22H2, Windows 11 23H2). The vulnerability has been closed in the March patch (**KB5035853**).

## Analysis

The vulnerability is located in the `CldiPortProcessGetRangeInfo` function, it does **not** check for the buffer size passed from the user application. Since the size can be controlled by the user, `memmove`, which copies the returned information, can grab a neighboring memory pool that contains kernel addresses if the size is correctly passed.

![no-check](img/no-check.png)

![vuln](img/vuln.png)

The March patch (**KB5035853**) introduces an additional check for buffer size.

![patch](img/patch.png)

Under normal conditions, the vulnerable function is called when the `CfGetPlaceholderRangeInfoForHydration` function is called, it contains a fixed size for the returned buffer, so it is necessary to construct a data packet that will reach the vulnerable function call. The call of the required function passes through the `CldiPortNotifyMessage` function, where all packets, including some specific ones, must be validated.

![packet-7](img/packet-7.png)

It is important to pass the message type in order to trigger the leak.

![call](img/call.png)

If the data packet is properly formed, we will see address leakage.

![leak](img/leak.png)