CVE-2022-24493 - Microsoft LSA Server Info Leak – Explained with Code and Exploit Details

Microsoft’s Local Security Authority (LSA) is a key Windows service that handles user authentication and security policies. In early 2022, a vulnerability was found in how LSA handled memory, leading to CVE-2022-24493, an "information disclosure" bug. This means sensitive memory information could be leaked to local attackers, giving them a stepping stone for bigger attacks.

In this article, we’ll break down what CVE-2022-24493 is, how it can be exploited, and what Microsoft did to fix it. Let’s dive in, step by step.

What is CVE-2022-24493?

CVE-2022-24493 is an information disclosure vulnerability in the LSA Server, which can let an attacker with local access read memory not meant for them. Sometimes, this memory contains sensitive data like authentication tokens or passwords. This is particularly dangerous because LSA runs as a high-privilege service.

Microsoft’s Details:  
- Microsoft Security Update Guide - CVE-2022-24493

How Does It Work?

The core issue lies in the way LSA responds to certain RPC (Remote Procedure Call) requests. Poor memory management meant that RPC call responses could contain extra, uninitialized memory — “bleeding” sensitive information from LSA’s process space.

Attackers could trigger these responses and read the leaked memory, gaining a foothold for further privilege escalation or lateral movement.

Proof of Concept (PoC) Code

Here’s an example (simplified) PowerShell script that interacts with LSA’s RPC interface, demonstrating how such vulnerabilities can be poked for leaks. (Note: This won’t work after patching, and omits real exploit logic for safety.)

# WARNING: For educational purposes only

# Use Windows API to open a handle to LSA
Add-Type -TypeDefinition @"
using System;
using System.Runtime.InteropServices;
public class LSAUtils {
    [DllImport("advapi32.dll", SetLastError = true)]
    public static extern uint LsaOpenPolicy(
        ref LSA_UNICODE_STRING SystemName,
        ref LSA_OBJECT_ATTRIBUTES ObjectAttributes,
        uint DesiredAccess,
        out IntPtr PolicyHandle
    );

    [StructLayout(LayoutKind.Sequential)]
    public struct LSA_UNICODE_STRING {
        public ushort Length;
        public ushort MaximumLength;
        public IntPtr Buffer;
    }
    [StructLayout(LayoutKind.Sequential)]
    public struct LSA_OBJECT_ATTRIBUTES {
        public int Length;
        public IntPtr RootDirectory;
        public IntPtr ObjectName;
        public uint Attributes;
        public IntPtr SecurityDescriptor;
        public IntPtr SecurityQualityOfService;
    }
}
"@

# Craft "bad" input to LSA functions to read uninitialized output
# This exploits similar structures LSA used before the patch

# In practice, exploiters would:
# - Connect to LSA via LsaOpenPolicy or raw RPC
# - Send malformed or unexpected values
# - Observe memory leaks in returned buffers

# Display placeholder to show where memory would be dumped
Write-Host "[!] Would dump leaked memory here (PoC redacted for safety)"

Note: A real exploit would require custom RPC calls to the LSA, using lower-level languages (like C) and specific protocol formats that trigger the flaw.

Some public write-ups and exploit discussions

- Vulnerability Details from ZDI
- Medium - Exploiting LSA Infoleak (not CVE-2022-24493, but similar): Example

Researchers found that by manipulating the input length or type to certain LSA RPC functions, responses would contain not just the data you requested, but also chunks of neighboring memory from LSA’s address space. Sometimes, this can include NTLM password hashes, Kerberos tickets, or internal tokens.

Persistence:

Use harvested tokens/hashes for future access.

Attackers often chain this info leak with other bugs to fully compromise Windows systems.

Microsoft’s Fix

Microsoft plugged this hole in March 2022 Patch Tuesday. The patch ensures LSA properly sanitizes all output buffers before sending them to callers, so no extra memory leaks out.

Patch Reference

- Microsoft Patch Notes for March 2022

How to Stay Safe

1. Patch Windows Systems  
Always install the latest cumulative Windows updates.

2. Monitor Security Logs  
Keep an eye out for unusual LSA behavior or failed login attempts.

3. Restrict Local Access  
This bug requires someone to be local or execute code on your computer beforehand.

Summary Table

|           | Description                                        |
|-----------|----------------------------------------------------|
| CVE       | CVE-2022-24493                                     |
| Severity  | Important (6.5 CVSS v3.1)                          |
| Impact    | Memory leakage / info disclosure via LSA RPC       |
| Pre-req   | Local access or code execution on Windows system   |
| Fixed     | Windows March 2022 cumulative update               |

Original References

- Microsoft Security Guide
- Zero Day Initiative (ZDI) Advisory

Conclusion

CVE-2022-24493 is a potent reminder that even read-only bugs can have outsized impacts — especially when they involve Windows’ most powerful authentication processes. Patch up, monitor your logs, and always treat local access as a serious risk vector.

If you want more hands-on technical details (and can read C or RPC protocol docs), check the above references and always use virtual machines or sandboxes for any experiments!

Timeline

Published on: 04/15/2022 19:15:00 UTC
Last modified on: 04/22/2022 17:11:00 UTC