Ludashi Driver Local Information Disclosure Vulnerability

A local information disclosure vulnerability exists in the Ludashi driver in versions prior to 5.1025. The issue arises from inadequate access control in the IOCTL handler, which exposes a device interface to normal users. The handler processes attacker-controlled structures containing physical addresses from the lower 4GB, mapping arbitrary physical memory to user mode via MmMapIoSpace. This lack of privilege verification allows unprivileged users to read sensitive kernel data, including kernel structures, pointers, security tokens, and other confidential information. Additionally, this vulnerability can be exploited to bypass Kernel Address Space Layout Randomization (KASLR) and achieve local privilege escalation.

Impact

Exploitation of this vulnerability allows unprivileged users to read arbitrary physical memory, potentially disclosing sensitive kernel information and leading to local privilege escalation.

Reproduction

The vulnerability can be reproduced by loading the affected Ludashi driver and sending an IOCTL request through the exposed interface. The request can include arbitrary lower 4GB physical address values, which the driver will map to the application layer and return the corresponding memory contents. This process can be automated with a Proof-of-Concept (POC) available in the CVE-Publication GitHub repository.