Zero Day Initiative | Blog
Follow
CVE-2024-43639: Remote Code Execution in Microsoft Windows KDC Proxy
A vulnerability in the Microsoft Windows Key Distribution Center (KDC) Proxy has been discovered, allowing for arbitrary code execution in the security context of the target service. The vulnerability is due to a missing check for the length of Kerberos responses, which can lead to an integer overflow. A remote, unauthenticated attacker can direct the KDC proxy to forward a Kerberos request to a server under their control, which would then send back a crafted Kerberos response. The KDC proxy reads 4 bytes from the network socket to get the Kerberos response length, but does not validate the length, allowing for an integer overflow. The vulnerability is triggered when the KDC proxy attempts to read the full response, and the code flow alternates between functions from the KDC proxy server and the Microsoft ASN.1 library. The vulnerability can be exploited by sending a crafted Kerberos response to the KDC proxy, which would then wrap it in a KDC proxy message and return it to the client. The vulnerability has been patched by Microsoft, and users are advised to apply the patch to prevent exploitation. The vulnerability affects Microsoft Windows Server operating systems, and can be exploited remotely. The KDC proxy is used to enable remote workloads, such as RDP Gateway and DirectAccess, and is typically run on domain-joined machines.