CVE-2022-24494# AFD
CVE-2022-24494
The vulnerability is an arbitrary memory read. The root cause is a lack of validation in a memory address suplied from user-land that is used in a memcpy operation in order to copy data from this memory address into the pool memory.
The lack of check is in the addres Afd!AfdTliIoControl+0x40B
As you can see in the screenshot above, the user-land memory address is copied from InputBuffer+0x20 a first time properly checking with MmUserProbeAddress if the memory address is inside the user-land memory address space. However, a second time this same memory address is copied from InputBuffer+0x20 to RAX register but this time without properly check the memory address using MmUSerProbeAddress. Due to this lack of validation, it is possible to provide an arbirtray kernel address.
This address is later copied to a pool memory allocation (tag: AfdL) using a memcpy operation as you can see below in AfdTliIoControl+0x5AB:
The PoC bellow shows the kernel address provided from user-land (0xffffffdeadbeef01)
The driver try to read from this invalid memory address leading in a BSOD:
The value copied to the dst pointer in the memcpy operation is later passed to the tcpip.sys driver. I have not dig into what internal objects are affected and if it's possible to leak memory from userland calling APIs which could get data from this potential internal objects.
Microsoft released some months later a research that talk about potential EoP impact of this kind of vulnerabilities (arbitrary memory read):
https://msrc-blog.microsoft.com/2022/03/22/exploring-a-new-class-of-kernel-exploit-primitive/
[4.0K] /data/pocs/4d1619601aacbbaafb6c8ad4e6bb9598a67b2959
├── [4.0K] images
│ ├── [ 50K] img1.png
│ ├── [ 34K] img2.png
│ ├── [ 22K] img3.png
│ ├── [ 16K] img4.png
│ └── [ 39K] img5.png
├── [3.9K] PoC_AFD.cpp
└── [1.7K] README.md
1 directory, 7 files