CVE-2024-43535 PoC — Windows Kernel-Mode Driver Elevation of Privilege Vulnerability

Source

Associated Vulnerability

Title:Windows Kernel-Mode Driver Elevation of Privilege Vulnerability (CVE-2024-43535)
Description:Windows Kernel-Mode Driver Elevation of Privilege Vulnerability

Description

Reports and POCs for CVE 2024-43570 and CVE-2024-43535

Readme

# KTM_POCS

This repo contains reports for [CVE 2024-43570](https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-43570) and [CVE 2024-43535](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-43535), two vulnerabilities I found in the Windows Kernel Transaction Manager driver tm.sys.

This repo also contains exploit code I used for the demos in the OffensiveCon25 Presentation: [Hunting for Overlooked Cookies in Windows 11 KTM and Baking Exploits for Them](https://youtu.be/goEb7eKj660?si=DR9TcnJZPicCIhGK) by Cedric Halbronn and Jael Koh.

Slides for the presentation are available [here](https://docs.google.com/presentation/d/1M_ziQt6rZA01ghsv0qo7lhqyOLIZYNnV-qjHWun6A1g/edit?usp=sharing).

*Exploit code was tested on a Windows 11 Pro 23H2 226321.4169 (September Patch Tuesday Update) Virtual Machine*

##  Timeline

24 Apr 2024 - 26 Apr 2024: tm.sys research attempt #1

18 May 2024 - 20 May 2024: tm.sys research attempt #2

14 Jun 2024 - 7 Jul 2024: tm.sys research attempt #3 

24 Jun 2024: Reported CVE 2024-43570 to MSRC

7 Jul 2024 : Reported CVE 2024-43535 to MSRC

18 Jul 2024: US$2000 bounty awarded for CVE 2024-43570

5 Oct 2024 : US$2000 bounty awarded for CVE 2024-43535

8 Oct 2024: Fix for CVE-2024-43570 and CVE-2024-43535

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!